This vulnerability will not lead to exploitation, however, it may lead to unexpected behaviour during PNG file processing.
Binarly REsearch Team has discovered a OOB Read vulnerability in DXE driver. Improper validation of PNG chunk length during PNG file processing in AMI firmware leads to OOB read.
This vulnerability will not lead to exploitation, however, it may lead to unexpected behaviour during PNG file processing.
The pseudocode of the vulnerable function is shown below:
unsigned __int8 *GetImageSize()
{
unsigned int ImageSize; // ebx
unsigned __int8 *result; // rax
__int64 ImagePtrCursor; // r9
unsigned __int8 *v3; // rcx
__int64 v4; // r10
__int64 v5; // r9
unsigned __int8 *v6; // rcx
__int64 v7; // rdx
unsigned int Length; // r11d
unsigned __int8 *v9; // [rsp+30h] [rbp+8h] BYREF
ImageSize = 8;
GlobalImagePtr += 8i64;
result = (unsigned __int8 *)AllocateZeroPool(4ui64);
v9 = result;
if ( result )
{
ImagePtrCursor = GlobalImagePtr;
do
{
v3 = result;
v4 = 4i64;
do
{
*v3 = v3[ImagePtrCursor - (_QWORD)result];
++v3;
--v4;
}
while ( v4 );
v5 = ImagePtrCursor + 4;
v6 = result;
v7 = 4i64;
// BRLY-LOGOFAIL-2023-014: Chunk length is added without validation to ImagePtrCursor
Length = result[3] + ((result[2] + ((result[1] + (*result << 8)) << 8)) << 8);
do
{
*v6 = v6[v5 - (_QWORD)result];
++v6;
--v7;
}
while ( v7 );
ImageSize += Length + 12;
ImagePtrCursor = Length + 8i64 + v5;
}
while ( result[3] + ((result[2] + ((result[1] + (*result << 8)) << 8)) << 8) != 1229278788 );
GlobalImagePtr = ImagePtrCursor;
sub_4654(&v9);
return (unsigned __int8 *)ImageSize;
}
return result;
}
As we can see from the pseudocode, the variable Length
is initialized from a value ( result
) which is read directly from the image buffer. Length
is then used to update the ImagePtrCursor
variable pointer without any validation.
This bug is subject to a 90 day disclosure deadline. After 90 days elapsed or a patch has been made broadly available (whichever is earlier), the bug report will become visible to the public.
Binarly REsearch Team