Closed
Bug 1212024
Opened 9 years ago
Closed 9 years ago
Cherrypick upstream libstagefright overflow bug fixes
Categories
(Core :: Audio/Video: Playback, defect, P1)
Tracking
()
RESOLVED
FIXED
People
(Reporter: q1, Assigned: mozbugz)
References
Details
(Keywords: sec-other)
While submitting https://code.google.com/p/android/issues/detail?id=188891 (submission of https://bugzilla.mozilla.org/show_bug.cgi?id=1210489 to the libstagefright team), I noticed various overflow-related bugfixes in media\libstagefright\* . It'd be very good to screen those and fixup the codebase accordingly.
Updated•9 years ago
|
Group: core-security → core-security-release
Comment 1•9 years ago
|
||
jya: do we need this bug or is it covered by the other stagefright changes already in progress? I know we're rewriting things to reduce or eliminate stagefright, and we've also already picked up some of their patches in the meantime.
Flags: needinfo?(jyavenard)
Comment 2•9 years ago
|
||
We've diverged enough that just doing a diff isn't helpful. If someone wants to go through recent patches and see whether there's something that fixes things we're still vulnerable to (with a test case) that _would_ be useful, and imo bounty-worthy. But I don't see the point of a generic bug like this, except as a metabug for tracking more specific work.
(In reply to Ralph Giles (:rillian) from comment #2)
> We've diverged enough that just doing a diff isn't helpful. If someone wants
> to go through recent patches and see whether there's something that fixes
> things we're still vulnerable to (with a test case) that _would_ be useful,
> and imo bounty-worthy....
I'll add this search to my queue.
Comment 4•9 years ago
|
||
I can't see the upstream code; and AFAIK we've covered much more overflow errors in our codebase than upstream (there are still some major overflows error there).
And so far, none of the "bugs" reported upstream were valid on our current codebase.
Flags: needinfo?(jyavenard)
(In reply to Jean-Yves Avenard [:jya] from comment #4)
> I can't see the upstream code...
I had some trouble finding it myself. If you're interested, it's at https://android.googlesource.com/platform/frameworks/av/+/master/media/libstagefright/ .
Comment 6•9 years ago
|
||
sorry, I meant that I couldn't see the upstream "bug" not code
Assignee | ||
Comment 7•9 years ago
|
||
(In reply to Jean-Yves Avenard [:jya] from comment #6)
> sorry, I meant that I couldn't see the upstream "bug" not code
It's probably still inside the security fence.
Anyway we should probably monitor the git repo regularly to get a sniff of fixes before bugs become public.
Assignee | ||
Comment 8•9 years ago
|
||
As suggested in comment 2, dependent bugs should be created when we find something pertinent chez Google.
And we can record here Google's bugs that are already fixed on our side, or that don't apply to our use of stagefright, so we don't revisit them all the time.
Assignee | ||
Comment 9•9 years ago
|
||
https://code.google.com/p/android/issues/detail?id=181701
"StageFright: integer overflow and heap overflow in MPEG4Extractor when handling malformed stsz/stz2 boxes leading to arbitrary memorr address control"
Already fixed as part of bug 1128939.
For the story: jya actually found this issue while working on unrelated bug 1128939, and notified Google about it then. 6 months later the Android issue linked above was created, and earned the reporter some nice cash prize -- Fair enough, but a bit disappointing that Google didn't fix the hole when we reported it earlier.
Should we have a closer relationship with the relevant people at Google, in particular to avoid having big delays between fixes from one side to the other?
Depends on: CVE-2015-0829
Assignee | ||
Comment 10•9 years ago
|
||
Android bug 182146, AndroidID-23270724:
https://code.google.com/p/android/issues/detail?id=182146
Also reported here in bug 1206769.
Does not apply because it's in code we do not use (and which should eventually be removed as part of bug 1210319).
Depends on: 1206769
Assignee | ||
Comment 11•9 years ago
|
||
AndroidID-22008959, no public Android bug (yet).
Patch: https://android.googlesource.com/platform/frameworks/av/+/f810a8298aea13fa177060cdc10c8297eac69c49%5E!/#F0
Independently fixed as part of bug 1128939, and the patch is actually in code we do not use.
Assignee | ||
Comment 12•9 years ago
|
||
AndroidID-21814993, no public Android bug (yet).
Patch: https://android.googlesource.com/platform/frameworks/av/+/f11e95b21007f24e5ab77298370855f9f085b2d7%5E!/#F0
That patch is in code we do not use.
Assignee | ||
Comment 13•9 years ago
|
||
Android issue 182838, AndroidID-23213430:
https://code.google.com/p/android/issues/detail?id=182838
Fixed (differently) by patch in bug 1158568.
Depends on: 1158568
Assignee | ||
Comment 14•9 years ago
|
||
AndroidID-22388975, no public Android bug (yet).
Patch: https://android.googlesource.com/platform/frameworks/av/+/073e4f6748f5d7deb095c42fad9271cb99e22d07%5E!/#F0
That patch is in code we do not use.
Assignee | ||
Comment 15•9 years ago
|
||
AndroidID-23034759, no public Android bug (yet).
Patch: https://android.googlesource.com/platform/frameworks/av/+/0e20b2093aa2bbc93afed8d68d3765d18a431b74%5E!/#F0
Fixed (differently) by patch in bug 1158568.
Assignee | ||
Comment 16•9 years ago
|
||
Android issue 182147, AndroidID-23031033:
https://code.google.com/p/android/issues/detail?id=182147
Fixed (differently) by patch in bug 1158568.
Updated•9 years ago
|
Priority: -- → P1
Updated•9 years ago
|
Assignee: nobody → gsquelart
Assignee | ||
Updated•9 years ago
|
Depends on: CVE-2015-7222
Comment 17•9 years ago
|
||
I'm going to mark this sec-other, because the upstream fixes have been going in separate bugs.
Keywords: sec-other
Updated•9 years ago
|
Group: media-core-security
It is not worth doing more than we have already done here.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Updated•9 years ago
|
Group: media-core-security
Updated•5 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•