Closed Bug 1212024 Opened 6 years ago Closed 5 years ago

Cherrypick upstream libstagefright overflow bug fixes

Categories

(Core :: Audio/Video: Playback, defect, P1)

41 Branch
defect

Tracking

()

RESOLVED FIXED

People

(Reporter: q1, Assigned: gerald)

References

Details

(Keywords: sec-other)

While submitting https://code.google.com/p/android/issues/detail?id=188891 (submission of https://bugzilla.mozilla.org/show_bug.cgi?id=1210489 to the libstagefright team), I noticed various overflow-related bugfixes in media\libstagefright\* . It'd be very good to screen those and fixup the codebase accordingly.
Group: core-security → core-security-release
jya: do we need this bug or is it covered by the other stagefright changes already in progress? I know we're rewriting things to reduce or eliminate stagefright, and we've also already picked up some of their patches in the meantime.
Flags: needinfo?(jyavenard)
We've diverged enough that just doing a diff isn't helpful. If someone wants to go through recent patches and see whether there's something that fixes things we're still vulnerable to (with a test case) that _would_ be useful, and imo bounty-worthy. But I don't see the point of a generic bug like this, except as a metabug for tracking more specific work.
(In reply to Ralph Giles (:rillian) from comment #2)
> We've diverged enough that just doing a diff isn't helpful. If someone wants
> to go through recent patches and see whether there's something that fixes
> things we're still vulnerable to (with a test case) that _would_ be useful,
> and imo bounty-worthy....

I'll add this search to my queue.
I can't see the upstream code; and AFAIK we've covered much more overflow errors in our codebase than upstream (there are still some major overflows error there).

And so far, none of the "bugs" reported upstream were valid on our current codebase.
Flags: needinfo?(jyavenard)
(In reply to Jean-Yves Avenard [:jya] from comment #4)
> I can't see the upstream code...

I had some trouble finding it myself. If you're interested, it's at https://android.googlesource.com/platform/frameworks/av/+/master/media/libstagefright/ .
sorry, I meant that I couldn't see the upstream "bug" not code
(In reply to Jean-Yves Avenard [:jya] from comment #6)
> sorry, I meant that I couldn't see the upstream "bug" not code

It's probably still inside the security fence.

Anyway we should probably monitor the git repo regularly to get a sniff of fixes before bugs become public.
As suggested in comment 2, dependent bugs should be created when we find something pertinent chez Google.

And we can record here Google's bugs that are already fixed on our side, or that don't apply to our use of stagefright, so we don't revisit them all the time.
https://code.google.com/p/android/issues/detail?id=181701
"StageFright: integer overflow and heap overflow in MPEG4Extractor when handling malformed stsz/stz2 boxes leading to arbitrary memorr address control"

Already fixed as part of bug 1128939.


For the story: jya actually found this issue while working on unrelated bug 1128939, and notified Google about it then. 6 months later the Android issue linked above was created, and earned the reporter some nice cash prize -- Fair enough, but a bit disappointing that Google didn't fix the hole when we reported it earlier.

Should we have a closer relationship with the relevant people at Google, in particular to avoid having big delays between fixes from one side to the other?
Depends on: CVE-2015-0829
Android bug 182146, AndroidID-23270724:
https://code.google.com/p/android/issues/detail?id=182146
Also reported here in bug 1206769.

Does not apply because it's in code we do not use (and which should eventually be removed as part of bug 1210319).
Depends on: 1206769
AndroidID-22008959, no public Android bug (yet).
Patch: https://android.googlesource.com/platform/frameworks/av/+/f810a8298aea13fa177060cdc10c8297eac69c49%5E!/#F0

Independently fixed as part of bug 1128939, and the patch is actually in code we do not use.
AndroidID-21814993, no public Android bug (yet).
Patch: https://android.googlesource.com/platform/frameworks/av/+/f11e95b21007f24e5ab77298370855f9f085b2d7%5E!/#F0

That patch is in code we do not use.
Android issue 182838, AndroidID-23213430:
https://code.google.com/p/android/issues/detail?id=182838

Fixed (differently) by patch in bug 1158568.
Depends on: 1158568
AndroidID-22388975, no public Android bug (yet).
Patch: https://android.googlesource.com/platform/frameworks/av/+/073e4f6748f5d7deb095c42fad9271cb99e22d07%5E!/#F0

That patch is in code we do not use.
AndroidID-23034759, no public Android bug (yet).
Patch: https://android.googlesource.com/platform/frameworks/av/+/0e20b2093aa2bbc93afed8d68d3765d18a431b74%5E!/#F0

Fixed (differently) by patch in bug 1158568.
Android issue 182147, AndroidID-23031033:
https://code.google.com/p/android/issues/detail?id=182147

Fixed (differently) by patch in bug 1158568.
Priority: -- → P1
Assignee: nobody → gsquelart
Depends on: CVE-2015-7222
Depends on: 1216845
I'm going to mark this sec-other, because the upstream fixes have been going in separate bugs.
Keywords: sec-other
Group: media-core-security
No longer depends on: 1206769
Depends on: 1206769
It is not worth doing more than we have already done here.
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Group: media-core-security
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.