oCERT-2009-002 OpenCORE insufficient boundary checking during MP3 decoding
Description:
OpenCORE, an open source multimedia decoding subsystem, suffers from an integer underflow during Huffman decoding resulting in improper bounds checking when writing to a heap allocated buffer. Decoding a specially crafted mp3 file will result in unexpected process termination or, potentially, arbitrary code execution due to heap corruption.
Patches have been made available by PacketVideo:
OpenCORE patch
public changelist
Affected version:
OpenCORE <= 2.0
(secondary affected versions)
Fixed version:
Credit: Initial vulnerability report and sample crasher provided by Owen Arden <owen [at] securityevaluators [dot] com> and Charlie Miller <cmiller [at] securityevaluators [dot] com>. In addition, oCERT would like to thank PacketVideo for the comprehensive analysis and patch.
CVE: CVE-2009-0475
Timeline:
2009-01-21: Android Security Team informed of issues
2009-01-23: Android Security Team requested coordination aid from oCERT
2009-01-24: oCERT investigated for other potential affected projects
2009-02-05: vendor supplied patch
2009-02-05: indicated that no other open source projects appear affected
2009-02-05: emailed vendor-sec@lst.de as a cross-check
2009-02-06: supplied vulnerability analysis to upstream vendor
2009-02-06: walked through affected code with upstream vendor
2009-02-06: CVE assignment requested and assigned
2009-02-07: advisory release
References:
pvmp3_huffman_parsing.cpp
pvmp3_mpeg2_stereo_proc.cpp
OpenCORE 2.0 submission
Android Git Repository