potential integer overflow in libnestegg halloc()

RESOLVED INVALID

Status

()

Core
Audio/Video
RESOLVED INVALID
a year ago
a year ago

People

(Reporter: kernxploit, Assigned: kinetik)

Tracking

47 Branch
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

a year ago
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
Build ID: 20160623154057

Steps to reproduce:

The libnestegg's main memory allocation function
void * halloc(void * ptr, size_t len)
from halloc.c (e.g. called by ne_pool_alloc()) does not seem to check for int-overflows when calling the registered mem alloc function pointer:
p = allocator(0, len + sizeof_hblock);




/* calloc */
	if (! ptr)
	{
		if (! len)
			return NULL;

		p = allocator(0, len + sizeof_hblock);
		if (! p)
			return NULL;
#ifndef NDEBUG
		p->magic = HH_MAGIC;
#endif
		hlist_init(&p->children);
		hlist_init_item(&p->siblings);

		return p->data;
	}
(Reporter)

Updated

a year ago
Component: Untriaged → File Handling
OS: Unspecified → All
Hardware: Unspecified → All

Comment 1

a year ago
Kinetik/Rillian, can you take a look?
Group: firefox-core-security → core-security
Component: File Handling → Audio/Video
Flags: needinfo?(kinetik)
Flags: needinfo?(giles)
Product: Firefox → Core
Group: core-security → media-core-security
(Assignee)

Comment 2

a year ago
It'd be worth reporting this to halloc upstream: https://github.com/apankrat/halloc

I believe nestegg's use is safe because the only two calls to halloc with third-party controlled values are sanitized with size limits on the allocation path, see https://github.com/kinetiknz/nestegg/blob/master/src/nestegg.c#L767 and https://github.com/kinetiknz/nestegg/blob/master/src/nestegg.c#L785
Flags: needinfo?(kinetik)
(Assignee)

Updated

a year ago
Flags: needinfo?(giles)
(Assignee)

Updated

a year ago
Assignee: nobody → kinetik
(Reporter)

Comment 3

a year ago
(In reply to Matthew Gregan [:kinetik] from comment #2)
> It'd be worth reporting this to halloc upstream:
> https://github.com/apankrat/halloc
Thanks for the link, I will consider it.

> I believe nestegg's use is safe because the only two calls to halloc with
> third-party controlled values are sanitized with size limits on the
> allocation path, see
> https://github.com/kinetiknz/nestegg/blob/master/src/nestegg.c#L767 and
> https://github.com/kinetiknz/nestegg/blob/master/src/nestegg.c#L785
All right. I assume the ebml element size here https://github.com/kinetiknz/nestegg/blob/master/src/nestegg.c#L986 is not third-party controllable?
(Assignee)

Comment 4

a year ago
(In reply to kernxploit from comment #3)
> All right. I assume the ebml element size here
> https://github.com/kinetiknz/nestegg/blob/master/src/nestegg.c#L986 is not
> third-party controllable?

Right, desc->size is sizeof() some nestegg internal struct.
(Reporter)

Updated

a year ago
Status: UNCONFIRMED → RESOLVED
Last Resolved: a year ago
Resolution: --- → INVALID
(Assignee)

Comment 5

a year ago
FYI: this was fixed upstream in halloc 1.2.3.
Group: media-core-security
You need to log in before you can comment on or make changes to this bug.