#2009-002 OpenCORE insufficient bounds checking during MP3 decoding Description: OpenCORE, an open source multimedia decoding subsystem, suffers from an integer underflow during Huffman decoding resulting in improper bounds checking when writing to a heap allocated buffer. Decoding a specially crafted mp3 file will result in unexpected process termination or, potentially, arbitrary code execution due to heap corruption. Patches have been made available by PacketVideo: http://ocert.org/patches/2009-002/opencore_mp3_dec.patch http://review.source.android.com/Gerrit#change,8815 Affected version: OpenCore <= 2.0 (secondary affected versions) Android without change 8815 Fixed version: OpenCore >= 2.0 with change 8815 Android with change 8815 Credit: Initial vulnerability report and sample crasher provided by Owen Arden <owen@xxxxxxxxxxxxxxxxxxxxxx> and Charlie Miller <cmiller@xxxxxxxxxxxxxxxxxxxxxx>. Thanks to PacketVideo for the comprehensive analysis and patching. CVE: CVE-2009-0475 Timeline: 2009-01-21: Android Security Team informed of issue 2009-01-23: Android Security Team requested coordination aid from oCERT 2009-01-24: oCERT investigated for other potential affected projects 2009-02-05: vendor supplied patch 2009-02-05: vendor indicated that no other open source projects affected 2009-02-05: did not discover other open source projects affected 2009-02-05: emailed vendor-sec@xxxxxx as a cross-check 2009-02-06: supplied vulnerability analysis to upstream vendor 2009-02-06: walked through affected code with upstream vendor 2009-02-06: CVE assignment requested and received 2009-02-07: advisory published References: http://review.source.android.com/Gerrit#change,8815 http://review.source.android.com/Gerrit#change,8604 http://android.git.kernel.org/?p=platform/external/opencore.git;a=summary http://android.git.kernel.org/?p=platform/external/opencore.git;a=blob;f=codecs_v2/audio/mp3/dec/src/pvmp3_huffman_parsing.cpp;h=491c0cc1b05adecb4ed2d53489c82e7fb4f46108;hb=d8b443ddaa386ed85ba31fbd663c40423a8d4ded http://android.git.kernel.org/?p=platform/external/opencore.git;a=blob;f=codecs_v2/audio/mp3/dec/src/pvmp3_mpeg2_stereo_proc.cpp;h=bc4c227fbd60f3f0a90355d7d52c71d46cd4a87c;hb=d8b443ddaa386ed85ba31fbd663c40423a8d4ded Links: http://www.packetvideo.com/products/core/index.html http://android.git.kernel.org http://android.com Permalink: http://www.ocert.org/advisories/ocert-2009-002.html -- Will Drewry <redpig@xxxxxxxxx> oCERT Team :: http://ocert.org