Closed
Bug 1170344
Opened 10 years ago
Closed 10 years ago
int oveflow in libstagefright during mp4 parsing
Categories
(Core :: Audio/Video, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: laf.intel, Assigned: jya)
References
Details
(Keywords: csectype-intoverflow, reporter-external, sec-critical, Whiteboard: [adv-main40+][adv-esr38.2+] fixed in bug 1185115)
User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.81 Safari/537.36
Steps to reproduce:
A specially crafted mp4 file can cause an integer overflow in VectorImpl::setCapacity. If there is a 'saio' tag in a mp4 file MPEG4Extractor::parseChunk calls SampleTable::setSampleAuxiliaryInformationOffsetParams. The latter function calls mCencOffsets.setCapacity(cencOffsetCount) with cencOffsetCount fully controlled by an attacker. The setCapacity is implemented in VectorImpl::setCapacity. In this function SharedBuffer::alloc(new_capacity * mItemSize) is called with new_capacity under attacker control. Multiplication with mItemSize (8 in this particular case) might causes an integer overflow. For example new_capacity set to 0x20000001 results in a 8 byte allocation.
Severity: normal → minor
Component: Untriaged → Video/Audio
OS: Unspecified → Android
Product: Firefox → Core
Hardware: Unspecified → All
|
||
Updated•10 years ago
|
Flags: sec-bounty?
|
||
Comment 1•10 years ago
|
||
Is this something you could look into, jya? Thanks.
Flags: needinfo?(jyavenard)
|
Assignee | |
Updated•10 years ago
|
Assignee: nobody → jyavenard
Flags: needinfo?(jyavenard)
|
|
Assignee | |
Comment 2•10 years ago
|
||
I shake my head in disbelief whenever I look at stagefright :(
|
||
Comment 3•10 years ago
|
||
Jean-Yves: is this a duplicate of bug 1185115? we never got a testcase but the description fits.
laf.intel: can you reproduce this bug in today's nightly? If it's the other bug the fix landed yesterday.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: needinfo?(laf.intel)
Flags: needinfo?(jyavenard)
Keywords: csectype-intoverflow,
testcase-wanted
|
|
Assignee | |
Comment 5•10 years ago
|
||
Yes, it's the same bug.
sorry it took so long to review. 2 months since report, that's no good :(
Flags: needinfo?(jyavenard)
Yes, the commit fixed the bug in this ticket as well. It seems to be a duplicate.
Flags: needinfo?(laf.intel)
|
|
||
Comment 7•10 years ago
|
||
Thanks. I'm going to mark this "Depends on" and FIXED rather than as a duplicate so the bounty request doesn't get overlooked. This may not have been the bug that sparked the fix but that's _our_ fault not yours.
|
|
||
Updated•10 years ago
|
Whiteboard: fixed in bug 1185115
|
|
||
Updated•10 years ago
|
status-firefox39:
--- → wontfix
status-firefox40:
--- → fixed
status-firefox41:
--- → fixed
status-firefox42:
--- → fixed
status-firefox-esr31:
--- → unaffected
status-firefox-esr38:
--- → fixed
tracking-firefox-esr38:
--- → 40+
Flags: sec-bounty? → sec-bounty+
Keywords: sec-critical
|
||
Updated•10 years ago
|
Whiteboard: fixed in bug 1185115 → [adv-main40+][adv-esr38.2+] fixed in bug 1185115
|
||
Updated•9 years ago
|
Group: core-security → core-security-release
|
||
Updated•9 years ago
|
Keywords: testcase-wanted
|
|
||
Updated•9 years ago
|
Group: core-security-release
|
||
Updated•9 months ago
|
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•