Issue metadata
Sign in to add a comment
|
Possible OOB write in v4l2_jpeg_decode_accelerator.cc |
||||||||||||||||||||||
Issue descriptionDisclaimer: I have no idea how to build and run this code, so my analysis could be completely wrong. In AddHuffmanTable() in v4l2_jpeg_decode_accelerator.cc (https://cs.chromium.org/chromium/src/media/gpu/v4l2_jpeg_decode_accelerator.cc): |input_ptr| is the mapped shared memory whose handle is provided by a renderer. |output_ptr| in this function is the buffer used as input for the V4L2 device, whose size is checked is to be at least the input shared memory size + |sizeof(kDefaultDhtSeg)| (sizeof(kDefaultDhtSeg) should be 420). However: while (!has_marker_sos && !has_marker_dht) { ... switch (marker2) { case JPEG_DHT: { has_marker_dht = true; break; } case JPEG_SOS: { if (!has_marker_dht) { memcpy(static_cast<uint8_t*>(output_ptr) + current_offset, kDefaultDhtSeg, sizeof(kDefaultDhtSeg)); current_offset += sizeof(kDefaultDhtSeg); } has_marker_sos = true; break; } default: break; } There is no limit on how many times kDefaultDhtSeg could be written to the output, meaning the |current_offset| (which isn't checked against |output_size|), could be incremented by 421 an arbitrary number of times for each 5ish bytes in an input provided by a malicious renderer, leading to an eventual OOB write.
,
Jul 29 2016
,
Aug 1 2016
,
Aug 1 2016
,
Aug 1 2016
Once we copy huffman table to |output_ptr|, |has_marker_sos| is set to true. Then we will exit the while loop with (!has_marker_sos && !has_marker_dht) condition. Therefore, the huffman table only can be added one time.
,
Aug 1 2016
My bad, looks like I misread the code. WontFixing.
,
Nov 7 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by sheriffbot@chromium.org
, Jul 29 2016