Status

()

Core
Audio/Video: Playback
RESOLVED INVALID
2 years ago
2 years ago

People

(Reporter: jmamj90, Unassigned)

Tracking

({sec-critical})

Trunk
sec-critical
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

2 years ago
User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.86 Safari/537.36

Steps to reproduce:

Hi
There should be Integer Overflow checks in:
http://hg.mozilla.org/mozilla-central/file/tip/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp#l1566


                 // each chunk originally prefixed with a 2 byte length will
                 // have a 4 byte header (0x00 0x00 0x00 0x01) after conversion,
                 // and thus will grow by 2 bytes per chunk.
+                if (max_size > SIZE_MAX - 10 * 2) {
+                    ALOGE("max sample size too big: %zu", max_size);
+                    return ERROR_MALFORMED;
+                }
                 mLastTrack->meta->setInt32(kKeyMaxInputSize, max_size + 10 * 2);
             } else {
                 // No size was specified. Pick a conservatively large size.
-                int32_t width, height;
-                if (!mLastTrack->meta->findInt32(kKeyWidth, &width) ||
-                    !mLastTrack->meta->findInt32(kKeyHeight, &height)) {
+                uint32_t width, height;
+                if (!mLastTrack->meta->findInt32(kKeyWidth, (int32_t*)&width) ||
+                    !mLastTrack->meta->findInt32(kKeyHeight,(int32_t*) &height)) {
                     ALOGE("No width or height, assuming worst case 1080p");
                     width = 1920;
                     height = 1080;
+                } else {
+                    // A resolution was specified, check that it's not too big. The values below
+                    // were chosen so that the calculations below don't cause overflows, they're
+                    // not indicating that resolutions up to 32kx32k are actually supported.
+                    if (width > 32768 || height > 32768) {
+                        ALOGE("can't support %u x %u video", width, height);
+                        return ERROR_MALFORMED;
+                    }
                 }


Actual results:

unsanitized size used later in allocations in multiple places


Expected results:

sanitize size
(Reporter)

Updated

2 years ago
Group: firefox-core-security → core-security
Component: Untriaged → Audio/Video: Playback
Keywords: sec-critical
Product: Firefox → Core
(Reporter)

Comment 1

2 years ago
I see you check in

  3721         CHECK(mFormat->findInt32(kKeyMaxInputSize, &max_size));
  3722         mBuffer = new MediaBuffer(std::min(max_size, 1024 * 1024));

http://hg.mozilla.org/mozilla-central/file/tip/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp#l3722

then it's safe sorry
Also kKeyMaxInputSize is accessed in unused code.

See https://hg.mozilla.org/try/rev/794c73a7496e (from bug 1210319) to get an idea of the libstagefright code that could just be removed, so we don't care if there are any security risks in there.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → INVALID
Group: core-security
You need to log in before you can comment on or make changes to this bug.