Closed Bug 1154672 Opened 5 years ago Closed 5 years ago
Heap buffer overflow in libstagefright (tx3g tag in mp4)
The MPEG4Extractor::parseChunk() (MPEG4Extractor.cpp) does not check for integer overflows when handling 'tx3g' tags which leads to a heap buffer overflow. When 'chunk_size' is large (e.g. 0xffffffff) and 'size' is set a integer overflow can occur. This causes the allocation of a buffer which is smaller than 'size' (https://dxr.mozilla.org/mozilla-central/source/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp#1846). When memcpy is called the overflow occurs (https://dxr.mozilla.org/mozilla-central/source/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp#1849) Attached is a PoC which will cause the said integer overflow and then overwrite data on the heap. Firefox does not necessarily crash on the first try. Reopen/reload the file multiple times untill the overflow overwrites some datastructure on the heap. Tested on mozilla-central build for Android on a Nexus 5.
Component: Audio/Video → Video/Audio
Product: Firefox for Android → Core
not 100% duplicate but handled in bug 1154683
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: CVE-2015-2717
Since this has a distinct testcase let's call it "Depends on" and FIXED so it's in the queue for security fix verification.
Depends on: CVE-2015-2717
Resolution: DUPLICATE → FIXED
Whiteboard: fixed in bug 1154683 (separate testcase)
Whiteboard: fixed in bug 1154683 (separate testcase) → [adv-main38+] fixed in bug 1154683 (separate testcase)
This bug is covered by the fix (and advisory) for bug 1154683.
(In reply to Jean-Yves Avenard [:jya] from comment #1) > not 100% duplicate but handled in bug 1154683 jya: the fix in bug 1154683 was in two chunks. Would you have fixed both without having had this bug submitted, or did this bug/testcase lead to expanding the fix? (relevant for rewarding bug bounties)
I can't say for certain. Seeing multiple bugs in the same code made me take a different approach in reviewing the entire code. It probably would have been fixed without this bug but maybe not :) There was more than one way to exploit the problem. the test file was useful to verify the fix.
You need to log in before you can comment on or make changes to this bug.