Information

File: PtpMgr/PtpApp/PtpOperation.c (probably)
Function: PTP_BLERequest()

The handler allocates a heap buffer of size 24 bytes, and copies the received message to it without any size checks. Our received message has no byte constraints, and can be way bigger than 24 bytes.

Decompiling the vulnerable code will look roughly like this:

...
input_size = ctx->get_data_size_ptr(ctx->handle);
if ( !input_size )
{
    ... // error handling
    return 0;
}
// EI-DBG: Heap buffer is allocated with size of 24 byts
pBuffer = PTP_AllocateMemory(global_ptp_memory_context, 24);
// EI-DBG: Attacker's input is copied to the buffer according to unverified "input_size"
ctx->recv_data_ptr(ctx->handle, pBuffer + 4, input_size);
*(_DWORD *)pBuffer = param2;
res = sub_FE5623CC(7, pBuffer, 24);
PTP_FreeMemory(global_ptp_memory_context, pBuffer);
...


References:
https://research.checkpoint.com/say-cheese-ransomware-ing-a-dslr-camera
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5999