Issue metadata
Sign in to add a comment
|
Security - Unexploitable: Integer Overflow in media::mp4::TrackRunIterator::Init leading to arbitrary size OOB read in an arbitrary offset from the buffer.
Reported by
shmuelha...@gmail.com,
Sep 6 2016
|
||||||||||||||||||||||
Issue descriptionThis template is ONLY for reporting security bugs. If you are reporting a Download Protection Bypass bug, please use the "Security - Download Protection" template. For all other reports, please use a different template. Please see the following link for instructions on filing security bugs: http://www.chromium.org/Home/chromium-security/reporting-security-bugs NOTE: Currently, this bug is NOT exploitable due a ffmpeg's checking in avformat_find_stream_info and an OOM error before the actual vulnerability, i'm posting it under "security" because that I'm not sure if that's right for all of chromium's configurations. VULNERABILITY DETAILS An integer overflow in a signed variable "sample_count_sum" in TrackRunIterator::Init that later gets used as a parameter to an input iterator. int sample_count_sum = 0; [code from https://cs.chromium.org/chromium/src/media/formats/mp4/track_run_iterator.cc?rcl=0&l=360] tri.aux_info_sizes.insert( tri.aux_info_sizes.begin(), sizes.begin() + sample_count_sum, // sample_count_sum is user controlled. sizes.begin() + sample_count_sum + trun.sample_count); // trun.sample_count is user controlled. [/code] [code from https://cs.chromium.org/chromium/src/media/formats/mp4/track_run_iterator.cc?q=TrackRunIterator::Init&sq=package:chromium&dr=CSs&l=420] sample_count_sum += trun.sample_count; // integer overflow here, // trun.sample_count is user controlled. [/code] However, the program probably die from OOB before running this code because that an exploit will require a trun.sample_count bytes file. VERSION Chrome Version: 53.0.2785.92, stable. Operating System: Arch Linux. REPRODUCTION CASE Please include a demonstration of the security bug, such as an attached HTML or binary file that reproduces the bug when loaded in Chrome. PLEASE make the file as small as possible and remove any content not required to demonstrate the bug. FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION Type of crash: [tab, browser, etc.] Crash State: [see link above: stack trace, registers, exception record] Client ID (if relevant): [see link above] NOTES: 1: None of the values that get read in box_definition.cc get validated as they should. That gave me as an attacker a lot of flexibility and may create many more security bugs.
,
Sep 7 2016
hi kqyang, can you or someone on the media team take a look at this bug?
,
Sep 7 2016
Sure, replacing "int sample_count_sum" with "uint64_t sample_count_sum" should solve the problem since sample_count is only four bytes. I'll prepare a cl for that.
,
Sep 8 2016
,
Sep 9 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/5a30782ddb6a7c5f4a1a073253e4a162d82864df commit 5a30782ddb6a7c5f4a1a073253e4a162d82864df Author: kqyang <kqyang@chromium.org> Date: Fri Sep 09 03:12:55 2016 Change type of sample_count_sum from int to uint64_t to fix possible overflow BUG= 644373 Review-Url: https://codereview.chromium.org/2326893002 Cr-Commit-Position: refs/heads/master@{#417490} [modify] https://crrev.com/5a30782ddb6a7c5f4a1a073253e4a162d82864df/media/formats/mp4/track_run_iterator.cc
,
Sep 9 2016
,
Sep 10 2016
,
Dec 17 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by elawrence@chromium.org
, Sep 6 2016