Closed Bug 1170028 Opened 9 years ago Closed 6 years ago

Potential string buffer overflow using sprintf in libstagefright

Categories

(Core :: Audio/Video: Playback, defect, P3)

Product:
Core
Component:
Audio/Video: Playback
Type:
defect

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: MatsPalmgren_bugz, Unassigned)

References

Details

(Keywords: sec-other, Whiteboard: [disabled debugging code]) 

(spawned off from bug 1169326)

q1@lastland.net writes:
I have found several unsafe calls to sprintf which will or can cause the (usually stack-based) destination buffer to be overrun, possibly leading to crash problems and/or security issues. Here's a list:

[...]

38.0.1\media\libstagefright\frameworks\av\media\libstagefright\foundation\AString.cpp
   AString::append (double x) (sprintfs a double (could have 300+ digits) into char s[16])
   AString::append (void *x) (sprintfs a void * into char s[16])
Blocks: 1169326
Flags: needinfo?(jyavenard)
can you give me access to bug 1169326?

I don't believe any code in AString.cpp is called with our use of stagefright, it's only use if the stagefright debugging is turned on (and we don't)
Flags: needinfo?(jyavenard)
Keywords: sec-other
Whiteboard: [disabled debugging code]
Group: core-security → media-core-security
Component: Audio/Video → Audio/Video: Playback
Keywords: stalled
Priority: -- → P3
Stagefright has been removed a while ago
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → WORKSFORME
Group: media-core-security
You need to log in before you can comment on or make changes to this bug.