Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Samsung Android contains an internal DNG format decoding library. Notably for attack surface, many applications use the MEDIA_SCANNER_SCAN_FILE from remote contexts to index media files that are downloaded.

DNGs TrimBounds opcode does an in-place modification to the image's bounds. This causes the backingstore to be reallocated and updated.

Later, when performing linearization, this modification ins not taken into account. During usage, srcImage is now smaller than dstImage. This leads to an out of bounds read during linearization.

My hypothesis for the bug: non-obvious side effects. If functions are making modifications to objects, they may violate assumptions somewhere else without realizing it. I suppose that functions with side effects are useful to track for bugs in other code bases.