500 - Samsung Galaxy S6: Samsung Gallery GIF Parsing Crash - project-zero

Starred by 3 users

Status:	Fixed
Owner:	natashenka@google.com
Closed:	Dec 2015
Cc:	project-...@google.com
Finder-natashenka Vendor-Samsung Deadline-90 Product-S6 Reported-2015-Aug-3 CCProjectZeroMembers CVE-2015-7898 Severity-High

Samsung Galaxy S6: Samsung Gallery GIF Parsing Crash

Project Member Reported by natashenka@google.com, Aug 4 2015

Back to list

There is a crash when the Samsung Gallery application load the attached GIF, colormap.gif.

D/skia    (10905): GIF - Parse error
D/skia    (10905): --- decoder->decode returned false
F/libc    (10905): Fatal signal 11 (SIGSEGV), code 2, fault addr 0x89f725ac in tid 11276 (thread-pool-0)
I/DEBUG   ( 2958): pid: 10905, tid: 11276, name: thread-pool-0  >>> com.sec.android.gallery3d <<<
I/DEBUG   ( 2958): signal 11 (SIGSEGV), code 2 (SEGV_ACCERR), fault addr 0x89f725ac
I/DEBUG   ( 2958):     x0   0000000000000001  x1   0000000089f725ac  x2   0000000000000000  x3   00000000fff9038c
I/DEBUG   ( 2958):     x4   0000007f9c300000  x5   000000000000001f  x6   0000000000000001  x7   0000007f9c620048
I/DEBUG   ( 2958):     x8   0000000000000000  x9   0000000000000000  x10  0000000000000080  x11  0000000000003758
I/DEBUG   ( 2958):     x12  0000000000000020  x13  0000000000000020  x14  00000000000000a5  x15  000000000000001f
I/DEBUG   ( 2958):     x16  00000000ffffe4e3  x17  00000000000000a5  x18  0000007f9c300000  x19  0000007f9c61fc00
I/DEBUG   ( 2958):     x20  0000007f9c664080  x21  0000000089e76b2c  x22  000000000000003b  x23  0000000000000001
I/DEBUG   ( 2958):     x24  0000000000000020  x25  0000000000000020  x26  0000000000000020  x27  0000007f9c664080
I/DEBUG   ( 2958):     x28  00000000000001da  x29  0000000032e89ae0  x30  0000007faad70e64
I/DEBUG   ( 2958):     sp   0000007f9cfff170  pc   0000007faad72dbc  pstate 0000000080000000
I/DEBUG   ( 2958): 
I/DEBUG   ( 2958): backtrace:
I/DEBUG   ( 2958):     #00 pc 000000000002ddbc  /system/lib64/libSecMMCodec.so (ColorMap+200)
I/DEBUG   ( 2958):     #01 pc 000000000002be60  /system/lib64/libSecMMCodec.so (decodeGIF+340)
I/DEBUG   ( 2958):     #02 pc 000000000000c90c  /system/lib64/libSecMMCodec.so (Java_com_sec_samsung_gallery_decoder_SecMMCodecInterface_nativeDecode+436)
I/DEBUG   ( 2958):     #03 pc 000000000042ec00  /system/priv-app/SecGallery2015/arm64/SecGallery2015.odex

To reproduce, download the file and open it in Gallery


This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

	colormap.gif 236 bytes View Download

Project Member Comment 1 by natashenka@google.com, Oct 22 2015

Owner: natashenka@google.com

Issue appears unfixed in G925VVRU4B0G9

Project Member Comment 2 by natashenka@google.com, Oct 23 2015

Labels: CVE-2015-7898

Project Member Comment 3 by natashenka@google.com, Nov 2 2015

Labels: -Restrict-View-Commit

Samsung is planning to fix this in their November MR.

Project Member Comment 4 by natashenka@google.com, Dec 17 2015

Status: Fixed

Comment 5 Deleted

Comment 6 Deleted

► Sign in to add a comment