Closed
Bug 1227083
Opened 9 years ago
Closed 9 years ago
stagefright sanitize
Categories
(Core :: Audio/Video: Playback, defect)
Core
Audio/Video: Playback
Tracking
()
RESOLVED
INVALID
People
(Reporter: jmamj90, Unassigned)
Details
(Keywords: sec-critical)
User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.86 Safari/537.36 Steps to reproduce: Hi There should be Integer Overflow checks in: http://hg.mozilla.org/mozilla-central/file/tip/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp#l1566 // each chunk originally prefixed with a 2 byte length will // have a 4 byte header (0x00 0x00 0x00 0x01) after conversion, // and thus will grow by 2 bytes per chunk. + if (max_size > SIZE_MAX - 10 * 2) { + ALOGE("max sample size too big: %zu", max_size); + return ERROR_MALFORMED; + } mLastTrack->meta->setInt32(kKeyMaxInputSize, max_size + 10 * 2); } else { // No size was specified. Pick a conservatively large size. - int32_t width, height; - if (!mLastTrack->meta->findInt32(kKeyWidth, &width) || - !mLastTrack->meta->findInt32(kKeyHeight, &height)) { + uint32_t width, height; + if (!mLastTrack->meta->findInt32(kKeyWidth, (int32_t*)&width) || + !mLastTrack->meta->findInt32(kKeyHeight,(int32_t*) &height)) { ALOGE("No width or height, assuming worst case 1080p"); width = 1920; height = 1080; + } else { + // A resolution was specified, check that it's not too big. The values below + // were chosen so that the calculations below don't cause overflows, they're + // not indicating that resolutions up to 32kx32k are actually supported. + if (width > 32768 || height > 32768) { + ALOGE("can't support %u x %u video", width, height); + return ERROR_MALFORMED; + } } Actual results: unsanitized size used later in allocations in multiple places Expected results: sanitize size
Group: firefox-core-security → core-security
Component: Untriaged → Audio/Video: Playback
Keywords: sec-critical
Product: Firefox → Core
I see you check in 3721 CHECK(mFormat->findInt32(kKeyMaxInputSize, &max_size)); 3722 mBuffer = new MediaBuffer(std::min(max_size, 1024 * 1024)); http://hg.mozilla.org/mozilla-central/file/tip/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp#l3722 then it's safe sorry
Also kKeyMaxInputSize is accessed in unused code. See https://hg.mozilla.org/try/rev/794c73a7496e (from bug 1210319) to get an idea of the libstagefright code that could just be removed, so we don't care if there are any security risks in there.
Status: UNCONFIRMED → RESOLVED
Closed: 9 years ago
Resolution: --- → INVALID
Updated•9 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•