Closed
Bug 1154672
Opened 10 years ago
Closed 10 years ago
Heap buffer overflow in libstagefright (tx3g tag in mp4)
Categories
(Core :: Audio/Video, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: laf.intel, Unassigned)
References
Details
(Keywords: csectype-bounds, reporter-external, sec-high, Whiteboard: [adv-main38+] fixed in bug 1154683 (separate testcase))
Attachments
(1 file)
|
220 bytes,
video/mp4
|
Details |
The MPEG4Extractor::parseChunk() (MPEG4Extractor.cpp) does not check for integer overflows when handling 'tx3g' tags which leads to a heap buffer overflow.
When 'chunk_size' is large (e.g. 0xffffffff) and 'size' is set a integer overflow can occur. This causes the allocation of a buffer which is smaller than 'size' (https://dxr.mozilla.org/mozilla-central/source/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp#1846). When memcpy is called the overflow occurs (https://dxr.mozilla.org/mozilla-central/source/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp#1849)
Attached is a PoC which will cause the said integer overflow and then overwrite data on the heap. Firefox does not necessarily crash on the first try. Reopen/reload the file multiple times untill the overflow overwrites some datastructure on the heap. Tested on mozilla-central build for Android on a Nexus 5.
|
||
Updated•10 years ago
|
Component: Audio/Video → Video/Audio
Product: Firefox for Android → Core
|
||
Updated•10 years ago
|
Keywords: csectype-bounds,
sec-high
|
|
||
Updated•10 years ago
|
Flags: needinfo?(jyavenard)
|
||
Updated•10 years ago
|
Status: UNCONFIRMED → NEW
Ever confirmed: true
|
||
Comment 1•10 years ago
|
||
not 100% duplicate but handled in bug 1154683
Status: NEW → RESOLVED
Closed: 10 years ago
Flags: needinfo?(jyavenard)
Resolution: --- → DUPLICATE
|
||
Updated•10 years ago
|
Flags: sec-bounty?
|
||
Comment 2•10 years ago
|
||
Since this has a distinct testcase let's call it "Depends on" and FIXED so it's in the queue for security fix verification.
status-b2g-v1.4:
--- → unaffected
status-b2g-v2.0:
--- → fixed
status-b2g-v2.0M:
--- → fixed
status-b2g-v2.1:
--- → fixed
status-b2g-v2.1S:
--- → fixed
status-b2g-v2.2:
--- → fixed
status-b2g-master:
--- → fixed
status-firefox38:
--- → fixed
status-firefox38.0.5:
--- → fixed
status-firefox39:
--- → fixed
status-firefox40:
--- → fixed
status-firefox-esr31:
--- → unaffected
status-firefox-esr38:
--- → fixed
Depends on: CVE-2015-2717
Resolution: DUPLICATE → FIXED
Whiteboard: fixed in bug 1154683 (separate testcase)
|
||
Updated•10 years ago
|
Whiteboard: fixed in bug 1154683 (separate testcase) → [adv-main38+] fixed in bug 1154683 (separate testcase)
|
|
||
Comment 3•10 years ago
|
||
This bug is covered by the fix (and advisory) for bug 1154683.
|
|
||
Comment 4•10 years ago
|
||
(In reply to Jean-Yves Avenard [:jya] from comment #1)
> not 100% duplicate but handled in bug 1154683
jya: the fix in bug 1154683 was in two chunks. Would you have fixed both without having had this bug submitted, or did this bug/testcase lead to expanding the fix? (relevant for rewarding bug bounties)
Flags: needinfo?(jyavenard)
|
|
||
Comment 5•10 years ago
|
||
I can't say for certain. Seeing multiple bugs in the same code made me take a different approach in reviewing the entire code. It probably would have been fixed without this bug but maybe not :)
There was more than one way to exploit the problem.
the test file was useful to verify the fix.
Flags: needinfo?(jyavenard)
|
|
||
Updated•10 years ago
|
Flags: sec-bounty? → sec-bounty+
|
||
Updated•10 years ago
|
Group: core-security → core-security-release
|
|
||
Updated•9 years ago
|
Group: core-security-release
|
||
Updated•1 year ago
|
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•