Closed Bug 1170344 Opened 4 years ago Closed 4 years ago

int oveflow in libstagefright during mp4 parsing

Categories

(Core :: Audio/Video, defect, major)

All
Android
defect
Not set
major

Tracking

()

RESOLVED FIXED
Tracking Status
firefox39 --- wontfix
firefox40 --- fixed
firefox41 --- fixed
firefox42 --- fixed
firefox-esr31 --- unaffected
firefox-esr38 40+ fixed

People

(Reporter: laf.intel, Assigned: jya)

References

Details

(Keywords: csectype-intoverflow, sec-critical, Whiteboard: [adv-main40+][adv-esr38.2+] fixed in bug 1185115)

User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.81 Safari/537.36

Steps to reproduce:

A specially crafted mp4 file can cause an integer overflow in VectorImpl::setCapacity. If there is a 'saio' tag in a mp4 file MPEG4Extractor::parseChunk calls SampleTable::setSampleAuxiliaryInformationOffsetParams. The latter function calls  mCencOffsets.setCapacity(cencOffsetCount) with cencOffsetCount fully controlled by an attacker. The setCapacity is implemented in VectorImpl::setCapacity. In this function SharedBuffer::alloc(new_capacity * mItemSize) is called with new_capacity under attacker control. Multiplication with mItemSize (8 in this particular case) might causes an integer overflow. For example new_capacity set to 0x20000001 results in a 8 byte allocation.
Severity: normal → minor
Component: Untriaged → Video/Audio
OS: Unspecified → Android
Product: Firefox → Core
Hardware: Unspecified → All
Severity: minor → major
Flags: sec-bounty?
Is this something you could look into, jya? Thanks.
Flags: needinfo?(jyavenard)
Assignee: nobody → jyavenard
Flags: needinfo?(jyavenard)
I shake my head in disbelief whenever I look at stagefright :(
Jean-Yves: is this a duplicate of bug 1185115? we never got a testcase but the description fits.

laf.intel: can you reproduce this bug in today's nightly? If it's the other bug the fix landed yesterday.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: needinfo?(laf.intel)
Flags: needinfo?(jyavenard)
Yes, it's the same bug.

sorry it took so long to review. 2 months since report, that's no good :(
Flags: needinfo?(jyavenard)
Yes, the commit fixed the bug in this ticket as well. It seems to be a duplicate.
Flags: needinfo?(laf.intel)
Thanks. I'm going to mark this "Depends on" and FIXED rather than as a duplicate so the bounty request doesn't get overlooked. This may not have been the bug that sparked the fix but that's _our_ fault not yours.
Status: NEW → RESOLVED
Closed: 4 years ago
Depends on: CVE-2015-4479
Resolution: --- → FIXED
Whiteboard: fixed in bug 1185115
Whiteboard: fixed in bug 1185115 → [adv-main40+][adv-esr38.2+] fixed in bug 1185115
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.