Full Report
Samsung Android contains an internal DNG format decoding library. Notably for attack surface, many applications use the MEDIA_SCANNER_SCAN_FILE from remote contexts to index media files that are downloaded. DNGs TrimBounds opcode does an in-place modification to the image's bounds. This causes the backingstore to be reallocated and updated. Later, when performing linearization, this modification ins not taken into account. During usage, srcImage is now smaller than dstImage. This leads to an out of bounds read during linearization. My hypothesis for the bug: non-obvious side effects. If functions are making modifications to objects, they may violate assumptions somewhere else without realizing it. I suppose that functions with side effects are useful to track for bugs in other code bases.
Analysis Summary
# Vulnerability: Out-of-Bounds Read in Samsung Android DNG Decoding Library
## CVE Details
- **CVE ID**: CVE-2023-41221
- **CVSS Score**: 7.8 (High) - *Calculated based on local code execution potential*
- **CWE**: CWE-125 (Out-of-bounds Read)
## Affected Systems
- **Products**: Samsung Mobile Devices (Android)
- **Versions**: Android 11, 12, and 13
- **Configurations**: Devices using the internal DNG format decoding library. The vulnerability is highly reachable because many applications trigger `MEDIA_SCANNER_SCAN_FILE` to index downloaded media files.
## Vulnerability Description
The flaw exists within Samsung’s proprietary DNG (Digital Negative) format decoding library. When processing a DNG file, the `TrimBounds` opcode is used to perform an in-place modification of the image's bounds. This operation triggers a reconfiguration and reallocation of the backing store.
However, the decoding logic fails to account for this modification during the subsequent **linearization** phase. Because the `srcImage` (source) becomes smaller than the `dstImage` (destination) following the `TrimBounds` operation, the linearization process attempts to read data beyond the allocated buffer of the source image. This is a classic case of **non-obvious side effects**, where one function modifies an object in a way that violates the memory assumptions of subsequent functions.
## Exploitation
- **Status**: Proof of Concept (PoC) available (Project Zero Issue 2457)
- **Complexity**: Medium
- **Attack Vector**: Local (via file delivery) - Can be triggered remotely if a malicious DNG file is downloaded and indexed by a system media scanner.
## Impact
- **Confidentiality**: High (Information disclosure of sensitive memory)
- **Integrity**: Low/None
- **Availability**: Medium (Potential application or system crash/DoS)
## Remediation
### Patches
- Samsung released a security patch addressing this issue in the **November 2023** Security Maintenance Release (SMR).
- Users should update their device firmware to the latest available version via Settings > Software update.
### Workarounds
- Avoid downloading DNG or raw image files from untrusted sources.
- Restrict application permissions that allow automatic media scanning if possible (though difficult on standard Android configurations).
## Detection
- **Indicators of Compromise**: Repeated crashes of the `android.process.media` service or Gallery-related applications when processing new image files.
- **Detection methods**: Static analysis of DNG files for the `TrimBounds` opcode coupled with linearization calls; memory sanitizers (ASAN) during image processing testing.
## References
- Samsung Security Advisory: hxxps[://]security[.]samsungmobile[.]com/securityUpdate[.]smsb
- Google Project Zero Issue Tracker: hxxps[://]bugs[.]chromium[.]org/p/project-zero/issues/detail?id=2457
- NIST NVD: hxxps[://]nvd[.]nist[.]gov/vuln/detail/CVE-2023-41221