CVE-2026-40339

libgphoto2 is a camera access and control library. Versions up to and including 2.5.33 have an out-of-bounds read in ptp unpack Sony DPD() in camlibs/ptp2/ptp-pack.c (line 842). The function reads the FormFlag byte via dtoh8o(data, *poffset) without a prior bounds check. The standard ptp unpack DPD() at lines 686–687 correctly validates *offset + sizeof(uint8 t) > dpdlen before this same read, but the Sony variant omits this check entirely. Commit 09f8a940b1e418b5693f5c11e3016a1ad2cea62d fixes the issue.