Closed Bug 1194479 Opened 5 years ago Closed 5 years ago

Questions about stagefright fixes

Categories

(Core :: Audio/Video, defect)

defect
Not set

Tracking

()

RESOLVED DUPLICATE of bug 1154683

People

(Reporter: dveditz, Unassigned)

References

()

Details

(Keywords: sec-audit)

ExodusIntel has raised questions about Google's fixes for the android bug. We may not support the atom in question but our recent fixes did follow a similar pattern in several cases.

+           if (SIZE_MAX - chunk_size <= size) {
+               return ERROR_MALFORMED;
+           }

http://blog.exodusintel.com/2015/08/13/stagefright-mission-accomplished/
Flags: needinfo?(jyavenard)
We have fixed all those issues in bug 1154683, back in April.

Looking at the push, all versions have been fixed up to b2g 34

Wherever an allocation using the new operator is done, we've added something like:
            // Make sure (size + chunk_size) isn't going to overflow.
            if (size >= kMAX_ALLOCATION - chunk_size) {
                return ERROR_MALFORMED;
            }

which is really just the same to what google has done (Though we did it earlier, yeah!)

Something of importance really, there is another severe vulnerability in stagefright that we fixed in bug 1128410 (wasn't marked as security).

Those problems are still in stagefright, and IMHO are way worse that the vulnerabilities that hit the spotlight recently.
Status: NEW → RESOLVED
Closed: 5 years ago
Flags: needinfo?(jyavenard)
Resolution: --- → DUPLICATE
Duplicate of bug: CVE-2015-2717
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.