[oCERT-2009-002] OpenCORE insufficient bounds checking during MP3 decoding

To: oss-security@xxxxxxxxxxxxxxxxxx, ocert-announce@xxxxxxxxxxxxxxx, bugtraq@xxxxxxxxxxxxxxxxx
Subject: [oCERT-2009-002] OpenCORE insufficient bounds checking during MP3 decoding
From: Will Drewry <redpig@xxxxxxxxx>
Date: Sat, 7 Feb 2009 10:45:11 -0600
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Sender: wad@xxxxxxxxxxxxx

#2009-002 OpenCORE insufficient bounds checking during MP3 decoding

Description:

OpenCORE, an open source multimedia decoding subsystem, suffers from an
integer underflow during Huffman decoding resulting in improper bounds
checking when writing to a heap allocated buffer.  Decoding a specially
crafted mp3 file will result in unexpected process termination or,
potentially, arbitrary code execution due to heap corruption.

Patches have been made available by PacketVideo:

   http://ocert.org/patches/2009-002/opencore_mp3_dec.patch
   http://review.source.android.com/Gerrit#change,8815


Affected version:

OpenCore <= 2.0

(secondary affected versions)

Android without change 8815


Fixed version:

OpenCore >= 2.0 with change 8815

Android with change 8815


Credit: Initial vulnerability report and sample crasher provided by
        Owen Arden <owen@xxxxxxxxxxxxxxxxxxxxxx> and
        Charlie Miller <cmiller@xxxxxxxxxxxxxxxxxxxxxx>.
        Thanks to PacketVideo for the comprehensive analysis and
        patching.


CVE: CVE-2009-0475


Timeline:
2009-01-21: Android Security Team informed of issue
2009-01-23: Android Security Team requested coordination aid from oCERT
2009-01-24: oCERT investigated for other potential affected projects
2009-02-05: vendor supplied patch
2009-02-05: vendor indicated that no other open source projects affected
2009-02-05: did not discover other open source projects affected
2009-02-05: emailed vendor-sec@xxxxxx as a cross-check
2009-02-06: supplied vulnerability analysis to upstream vendor
2009-02-06: walked through affected code with upstream vendor
2009-02-06: CVE assignment requested and received
2009-02-07: advisory published


References:
http://review.source.android.com/Gerrit#change,8815
http://review.source.android.com/Gerrit#change,8604
http://android.git.kernel.org/?p=platform/external/opencore.git;a=summary
http://android.git.kernel.org/?p=platform/external/opencore.git;a=blob;f=codecs_v2/audio/mp3/dec/src/pvmp3_huffman_parsing.cpp;h=491c0cc1b05adecb4ed2d53489c82e7fb4f46108;hb=d8b443ddaa386ed85ba31fbd663c40423a8d4ded
http://android.git.kernel.org/?p=platform/external/opencore.git;a=blob;f=codecs_v2/audio/mp3/dec/src/pvmp3_mpeg2_stereo_proc.cpp;h=bc4c227fbd60f3f0a90355d7d52c71d46cd4a87c;hb=d8b443ddaa386ed85ba31fbd663c40423a8d4ded


Links:
http://www.packetvideo.com/products/core/index.html
http://android.git.kernel.org
http://android.com


Permalink:
http://www.ocert.org/advisories/ocert-2009-002.html


--
Will Drewry <redpig@xxxxxxxxx>
oCERT Team :: http://ocert.org

Prev by Date: [ GLSA 200902-01 ] sudo: Privilege escalation
Next by Date: [SECURITY] [DSA 1718-1] New boinc packages fix validation bypass
Previous by thread: [ GLSA 200902-01 ] sudo: Privilege escalation
Next by thread: [SECURITY] [DSA 1718-1] New boinc packages fix validation bypass
Index(es):
- Date
- Thread