Closed
Bug 1170028
Opened 9 years ago
Closed 6 years ago
Potential string buffer overflow using sprintf in libstagefright
Categories
(Core :: Audio/Video: Playback, defect, P3)
Core
Audio/Video: Playback
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: MatsPalmgren_bugz, Unassigned)
References
Details
(Keywords: sec-other, Whiteboard: [disabled debugging code])
(spawned off from bug 1169326) q1@lastland.net writes: I have found several unsafe calls to sprintf which will or can cause the (usually stack-based) destination buffer to be overrun, possibly leading to crash problems and/or security issues. Here's a list: [...] 38.0.1\media\libstagefright\frameworks\av\media\libstagefright\foundation\AString.cpp AString::append (double x) (sprintfs a double (could have 300+ digits) into char s[16]) AString::append (void *x) (sprintfs a void * into char s[16])
Updated•9 years ago
|
Flags: needinfo?(jyavenard)
Comment 1•9 years ago
|
||
can you give me access to bug 1169326? I don't believe any code in AString.cpp is called with our use of stagefright, it's only use if the stagefright debugging is turned on (and we don't)
Flags: needinfo?(jyavenard)
Updated•9 years ago
|
Group: core-security → media-core-security
Updated•8 years ago
|
Component: Audio/Video → Audio/Video: Playback
Comment 2•6 years ago
|
||
Stagefright has been removed a while ago
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → WORKSFORME
Updated•4 years ago
|
Group: media-core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•