The following code is invoked when parsing ID3V2.4 tags in the android media server (taken from: https://android.googlesource.com/platform/frameworks/av/+/master/media/libstagefright/id3/ID3.cpp )
bool ID3::removeUnsynchronizationV2_4(bool iTunesHack) {
size_t oldSize = mSize;
size_t offset = 0;
while (offset + 10 <= mSize) {
if (!memcmp(&mData[offset], "\0\0\0\0", 4)) {
break;
}
size_t dataSize;
if (iTunesHack) {
dataSize = U32_AT(&mData[offset + 4]); <-- (A)
} else if (!ParseSyncsafeInteger(&mData[offset + 4], &dataSize)) {
return false;
}
if (offset + dataSize + 10 > mSize) { <-- (B)
return false;
}
uint16_t flags = U16_AT(&mData[offset + 8]);
uint16_t prevFlags = flags;
if (flags & 1) {
// Strip data length indicator
memmove(&mData[offset + 10], &mData[offset + 14], mSize - offset - 14);
mSize -= 4;
dataSize -= 4;
flags &= ~1;
}
if (flags & 2) {
// This file has "unsynchronization", so we have to replace occurrences
// of 0xff 0x00 with just 0xff in order to get the real data.
size_t readOffset = offset + 11;
size_t writeOffset = offset + 11;
for (size_t i = 0; i + 1 < dataSize; ++i) { <-- (C)
if (mData[readOffset - 1] == 0xff
&& mData[readOffset] == 0x00) {
++readOffset;
--mSize;
--dataSize;
}
mData[writeOffset++] = mData[readOffset++];
}
At point (A) we read a controlled 32 bit value from the MP3. At (B) we can pass the check by providing a sufficiently large value for dataSize such that offset + dataSize + 10 overflows. Then at point (C) the large dataSize value is used as the terminating condition for a memory copying loop. By ensuring that the file does contain sequences of 0xff 0x00 bytes we can make sure that the copy is indeed modifying memory.
PoC attached. Tested on Nexus 6 and Android One both running Lollipop 5.1.1
