# Vulnerability Summary ## Vulnerability Overview - **Vulnerability Type**: Buffer Overflow - **Vulnerability Description**: The functions `ptp_unpack_EOS_ImageFormat()` and `ptp_unpack_EOS_CustomFuncEx()` accept unsigned char data but do not check the length parameter. This allows reading up to 36 bytes of `ImageFormat` data and up to 1024 bytes of `CustomFuncData` via the `dtoh32` call. Although the caller `ptp_unpack_EOS_events()` has a `size` value available, it is never passed. - **CVE Number**: CVE-2026-40333 - **Reporter**: Sebastian Alba ## Affected Scope - Affected Functions: - `ptp_unpack_EOS_ImageFormat()` - `ptp_unpack_EOS_CustomFuncEx()` - Affected Code File: `lib/libptp2/ptp-pack.c` ## Remediation Plan - In the `ptp_unpack_EOS_ImageFormat()` function: - Add an `unsigned int *size` parameter - Check whether `size` is sufficient before parsing each attribute - Update the `size` value to reflect the number of bytes consumed - In the `ptp_unpack_EOS_CustomFuncEx()` function: - Add an `unsigned int *size` parameter - Check whether `size` is sufficient before parsing the data - Update the `size` value to reflect the number of bytes consumed - In the `ptp_unpack_EOS_events()` function: - Pass the `size` parameter to `ptp_unpack_EOS_ImageFormat()` and `ptp_unpack_EOS_CustomFuncEx()` ## POC Code / Exploit Code None