Closed Bug 1154672 Opened 5 years ago Closed 5 years ago

Heap buffer overflow in libstagefright (tx3g tag in mp4)

Categories

(Core :: Audio/Video, defect, critical)

All
Android
defect
Not set
critical

Tracking

()

RESOLVED FIXED
Tracking Status
firefox38 --- fixed
firefox38.0.5 --- fixed
firefox39 --- fixed
firefox40 --- fixed
firefox-esr31 --- unaffected
firefox-esr38 --- fixed
b2g-v1.4 --- unaffected
b2g-v2.0 --- fixed
b2g-v2.0M --- fixed
b2g-v2.1 --- fixed
b2g-v2.1S --- fixed
b2g-v2.2 --- fixed
b2g-master --- fixed

People

(Reporter: laf.intel, Unassigned)

References

Details

(Keywords: csectype-bounds, sec-high, Whiteboard: [adv-main38+] fixed in bug 1154683 (separate testcase))

Attachments

(1 file)

Attached video PoC of overflow
The MPEG4Extractor::parseChunk() (MPEG4Extractor.cpp) does not check for integer overflows when handling 'tx3g' tags which leads to a heap buffer overflow.

When 'chunk_size' is large (e.g. 0xffffffff) and 'size' is set a integer overflow can occur. This causes the allocation of a buffer which is smaller than 'size' (https://dxr.mozilla.org/mozilla-central/source/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp#1846). When memcpy is called the overflow occurs (https://dxr.mozilla.org/mozilla-central/source/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp#1849)

Attached is a PoC which will cause the said integer overflow and then overwrite data on the heap. Firefox does not necessarily crash on the first try. Reopen/reload the file multiple times untill the overflow overwrites some datastructure on the heap. Tested on mozilla-central build for Android on a Nexus 5.
Component: Audio/Video → Video/Audio
Product: Firefox for Android → Core
Flags: needinfo?(jyavenard)
Status: UNCONFIRMED → NEW
Ever confirmed: true
not 100% duplicate but handled in bug 1154683
Status: NEW → RESOLVED
Closed: 5 years ago
Flags: needinfo?(jyavenard)
Resolution: --- → DUPLICATE
Duplicate of bug: CVE-2015-2717
Flags: sec-bounty?
Since this has a distinct testcase let's call it "Depends on" and FIXED so it's in the queue for security fix verification.
Depends on: CVE-2015-2717
Resolution: DUPLICATE → FIXED
Whiteboard: fixed in bug 1154683 (separate testcase)
Whiteboard: fixed in bug 1154683 (separate testcase) → [adv-main38+] fixed in bug 1154683 (separate testcase)
This bug is covered by the fix (and advisory) for bug 1154683.
(In reply to Jean-Yves Avenard [:jya] from comment #1)
> not 100% duplicate but handled in bug 1154683

jya: the fix in bug 1154683 was in two chunks. Would you have fixed both without having had this bug submitted, or did this bug/testcase lead to expanding the fix? (relevant for rewarding bug bounties)
Flags: needinfo?(jyavenard)
I can't say for certain. Seeing multiple bugs in the same code made me take a different approach in reviewing the entire code. It probably would have been fixed without this bug but maybe not :)
There was more than one way to exploit the problem.
 the test file was useful to verify the fix.
Flags: needinfo?(jyavenard)
Flags: sec-bounty? → sec-bounty+
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.