Closed Bug 1226996 Opened 10 years ago Closed 10 years ago

Firefox Stagefright heap overflow

Categories

(Core :: Audio/Video: Playback, defect)

Product:
Core
Component:
Audio/Video: Playback
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: jmamj90, Unassigned)

Details

(Keywords: crash, csectype-intoverflow, sec-critical)

User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.86 Safari/537.36 Firefox for Android Steps to reproduce: In current trunk there is an Integer Overflow leading to Heap Overflow in Firefox Stagefright Integer overflow here http://hg.mozilla.org/mozilla-central/file/tip/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp#l2009 Wrong check here (fails when chunk_size is 64 bits) http://hg.mozilla.org/mozilla-central/file/tip/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp#l2006 Heap Overflow here http://hg.mozilla.org/mozilla-central/file/tip/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp#l2015 Expected results: size sanitized correctly (even for 64 bits)
Group: firefox-core-security → core-security
Severity: normal → critical
Component: Untriaged → Audio/Video: Playback
Product: Firefox → Core
Keywords: crash, csectype-intoverflow, sec-critical
similar to https://blog.exodusintel.com/2015/08/13/stagefright-mission-accomplished/ I've sent 2 bugs in stagefright (in ACodec and OMXCodec) to Google and they told me that Google Security Team found them a few weeks ago, should I report them here? (They are still unfixed in Firefox Stagefright)
Thank you for reporting this. (In reply to jmamj90 from comment #0) > User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 > (KHTML, like Gecko) Chrome/46.0.2490.86 Safari/537.36 > Firefox for Android > > Steps to reproduce: > > In current trunk there is an Integer Overflow leading to Heap Overflow in > Firefox Stagefright > > Integer overflow here > http://hg.mozilla.org/mozilla-central/file/tip/media/libstagefright/ > frameworks/av/media/libstagefright/MPEG4Extractor.cpp#l2009 > > Wrong check here (fails when chunk_size is 64 bits) > http://hg.mozilla.org/mozilla-central/file/tip/media/libstagefright/ > frameworks/av/media/libstagefright/MPEG4Extractor.cpp#l2006 Note that chunk_size is itself verified to be strictly smaller than kMAX_ALLOCATION (2 GB) at the top of the function: http://hg.mozilla.org/mozilla-central/file/tip/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp#l793 So I don't believe the check |size >= kMAX_ALLOCATION - chunk_size| at line 2006 can fail, and therefore size+chunk_size cannot overflow in the 'new' statement at line 2009. > Heap Overflow here > http://hg.mozilla.org/mozilla-central/file/tip/media/libstagefright/ > frameworks/av/media/libstagefright/MPEG4Extractor.cpp#l2015 Shouldn't happen thanks to the checks above. > Expected results: > size sanitized correctly (even for 64 bits) I believe we're safe here. Or did I miss something?
I'm glad I've missed the top function check, you're right, sorry for this
No worries, thank you again for reporting this potential issue.
Status: UNCONFIRMED → RESOLVED
Closed: 10 years ago
Resolution: --- → INVALID
Group: core-security
You need to log in before you can comment on or make changes to this bug.