Closed Bug 1170344 Opened 4 years ago Closed 4 years ago
int oveflow in libstagefright during mp4 parsing
User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.81 Safari/537.36 Steps to reproduce: A specially crafted mp4 file can cause an integer overflow in VectorImpl::setCapacity. If there is a 'saio' tag in a mp4 file MPEG4Extractor::parseChunk calls SampleTable::setSampleAuxiliaryInformationOffsetParams. The latter function calls mCencOffsets.setCapacity(cencOffsetCount) with cencOffsetCount fully controlled by an attacker. The setCapacity is implemented in VectorImpl::setCapacity. In this function SharedBuffer::alloc(new_capacity * mItemSize) is called with new_capacity under attacker control. Multiplication with mItemSize (8 in this particular case) might causes an integer overflow. For example new_capacity set to 0x20000001 results in a 8 byte allocation.
Severity: normal → minor
Component: Untriaged → Video/Audio
OS: Unspecified → Android
Product: Firefox → Core
Hardware: Unspecified → All
Is this something you could look into, jya? Thanks.
Assignee: nobody → jyavenard
I shake my head in disbelief whenever I look at stagefright :(
Jean-Yves: is this a duplicate of bug 1185115? we never got a testcase but the description fits. laf.intel: can you reproduce this bug in today's nightly? If it's the other bug the fix landed yesterday.
Yes, it's the same bug. sorry it took so long to review. 2 months since report, that's no good :(
Yes, the commit fixed the bug in this ticket as well. It seems to be a duplicate.
Thanks. I'm going to mark this "Depends on" and FIXED rather than as a duplicate so the bounty request doesn't get overlooked. This may not have been the bug that sparked the fix but that's _our_ fault not yours.
Status: NEW → RESOLVED
Closed: 4 years ago
Depends on: CVE-2015-4479
Resolution: --- → FIXED
Whiteboard: fixed in bug 1185115 → [adv-main40+][adv-esr38.2+] fixed in bug 1185115
You need to log in before you can comment on or make changes to this bug.