oCERT-2009-002 OpenCORE insufficient boundary checking during MP3 decoding


OpenCORE, an open source multimedia decoding subsystem, suffers from an integer underflow during Huffman decoding resulting in improper bounds checking when writing to a heap allocated buffer. Decoding a specially crafted mp3 file will result in unexpected process termination or, potentially, arbitrary code execution due to heap corruption.

Patches have been made available by PacketVideo:
 OpenCORE patch
 public changelist

Affected version:

OpenCORE <= 2.0

(secondary affected versions)

Android without 8815

Fixed version:

OpenCORE with 8815

Android with 8815

Credit: Initial vulnerability report and sample crasher provided by Owen Arden <owen [at] securityevaluators [dot] com> and Charlie Miller <cmiller [at] securityevaluators [dot] com>. In addition, oCERT would like to thank PacketVideo for the comprehensive analysis and patch.

CVE: CVE-2009-0475


2009-01-21: Android Security Team informed of issues
2009-01-23: Android Security Team requested coordination aid from oCERT
2009-01-24: oCERT investigated for other potential affected projects
2009-02-05: vendor supplied patch
2009-02-05: indicated that no other open source projects appear affected
2009-02-05: emailed vendor-sec@lst.de as a cross-check
2009-02-06: supplied vulnerability analysis to upstream vendor
2009-02-06: walked through affected code with upstream vendor
2009-02-06: CVE assignment requested and assigned
2009-02-07: advisory release

OpenCORE 2.0 submission
Android Git Repository