syoyo tinydng tiny_dng_loader.h __interceptor_memcpy heap-based overflow
Description
A vulnerability, which was classified as problematic, has been found in syoyo tinydng. Affected by this issue is the function __interceptor_memcpy of the file tiny_dng_loader.h. The manipulation leads to heap-based buffer overflow. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. It is recommended to apply a patch to fix this issue. VDB-223562 is the identifier assigned to this vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- syoyo/tinydngv5Range: n/a
Patches
Vulnerability mechanics
Root cause
"Missing bounds checking in the TGA image loading path within stb_image.h allows a crafted DNG file to trigger a heap-buffer-overflow when memcpy reads beyond the allocated buffer."
Attack vector
An attacker provides a crafted DNG file that, when parsed by tinydng, causes the TGA loading code in stb_image.h to read beyond the bounds of a heap-allocated buffer. The ASAN report shows a READ of size 6927 at an address 0 bytes to the right of a 944-byte region [ref_id=1][ref_id=2], and a separate READ of size 1 at an address 0 bytes to the right of a 1672-byte region [ref_id=3]. The overflow occurs in __interceptor_memcpy (via stbi__getn) and in stbi__get8 during stbi__tga_load [ref_id=1][ref_id=2][ref_id=3]. Local access is required to load the malicious file.
Affected code
The vulnerability is in the function __interceptor_memcpy within the file tiny_dng_loader.h [ref_id=1][ref_id=2]. The call chain passes through stbi__getn (stb_image.h:1623), stbi__tga_load (stb_image.h:5756), stbi__load_main, stbi__load_and_postprocess_8bit, stbi_load_from_memory, and finally tinydng::LoadDNGFromMemory at tiny_dng_loader.h:5478 [ref_id=1][ref_id=2]. A second variant hits stbi__get8 at stb_image.h:1557 [ref_id=3].
What the fix does
No patch is included in the bundle. The advisory recommends applying a patch to fix the issue, but no specific fix diff is published [ref_id=1][ref_id=2][ref_id=3]. The product uses continuous delivery with rolling releases, so no version details of affected or updated releases are available. Remediation would require adding bounds checks in the TGA loading functions (stbi__tga_load, stbi__getn, stbi__get8) in stb_image.h to ensure reads do not exceed the allocated buffer size.
Preconditions
- authAttacker must have local access to the system to load the crafted DNG file
- inputThe victim application must use tinydng to load a DNG file from a local path or memory
Reproduction
The PoC file is available at the GitHub repository https://github.com/10cksYiqiyinHangzhouTechnology/tinydngSecurityIssueReport1 [ref_id=1]. The ASAN report was produced by running the compiled `asan_tinydng` binary with a crafted crash input file (e.g., `id:000013,sig:11,src:000603,time:45067989,execs:9583622,op:havoc,rep:2`) [ref_id=1][ref_id=2]. A second PoC file (`id:000019,sig:11,src:000509,time:63211643,execs:13272738,op:havoc,rep:8`) triggers a separate heap-buffer-overflow of size 1 [ref_id=3].
Generated on May 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/syoyo/tinydng/issues/28mitreissue-tracking
- github.com/syoyo/tinydng/issues/29mitreissue-tracking
- vuldb.commitresignaturepermissions-required
- vuldb.commitrevdb-entrytechnical-description
News mentions
0No linked articles in our index yet.