New issue
Advanced search Search tips
Issue 503
Starred by 2 users
Status: Fixed
Owner:
hawkes@google.com
Closed: Oct 2015
Cc:
project-...@google.com



Sign in to add a comment
 libstagefright integer overflow and heap corruption with saio tag
Reported by cevans@google.com, Aug 12 2015 Back to list 
Via code auditing, there's a fairly obvious integer overflow vulnerability in MPEG4Source::parseSampleAuxiliaryInformationOffsets:

    uint32_t entrycount;
    if (!mDataSource->getUInt32(offset, &entrycount)) {
        return ERROR_IO;
    }
    offset += 4;

    if (entrycount > mCurrentSampleInfoOffsetsAllocSize) {
        mCurrentSampleInfoOffsets = (uint64_t*) realloc(mCurrentSampleInfoOffsets, entrycount * 8);

The "entrycount * 8" overflows.

Crafting a PoC file proved trickier, but attached are three files:

1) real_tfhd.mp4 -- original file.
2) tfhd_saio.mp4 -- file with a tfhd atom replaced with a bad saio atom; crashes reliably.
3) tfhd_saio3.mp4 -- same as 2) but with a bunch of A characters sprinkled in. Sometimes, will crash with 0x41414141 + small constant as a register value.


This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.
real_tfhd.mp4
549 KB Download
tfhd_saio3.mp4
1.1 MB Download
tfhd_saio.mp4
549 KB Download
Comment 1 by cevans@google.com, Aug 12 2015 
Filed in the AOSP tracker: https://code.google.com/p/android/issues/detail?id=182579
Project Member Comment 2 by hawkes@google.com, Aug 21 2015
Owner: hawkes@google.com
Project Member Comment 3 by natashenka@google.com, Oct 29 2015
Labels: -Restrict-View-Commit CVE-2015-3868
Status: Fixed
This issue was discovered by another party, and the fix has been public for two weeks now. Unrestricting.
Sign in to add a comment