oCERT Advisories

#2009-002 OpenCORE insufficient boundary checking during MP3 decoding

Description:

OpenCORE, an open source multimedia decoding subsystem, suffers from an integer underflow during Huffman decoding resulting in improper bounds checking when writing to a heap allocated buffer. Decoding a specially crafted mp3 file will result in unexpected process termination or, potentially, arbitrary code execution due to heap corruption.

Patches have been made available by PacketVideo:
 OpenCORE patch
 public changelist

Affected version:

OpenCORE <= 2.0

(secondary affected versions)

Android without 8815

Fixed version:

OpenCORE with 8815

Android with 8815

Credit: Initial vulnerability report and sample crasher provided by Owen Arden <owen [at] securityevaluators [dot] com> and Charlie Miller <cmiller [at] securityevaluators [dot] com>. In addition, oCERT would like to thank PacketVideo for the comprehensive analysis and patch.

CVE: CVE-2009-0475

Timeline:

2009-01-21: Android Security Team informed of issues
2009-01-23: Android Security Team requested coordination aid from oCERT
2009-01-24: oCERT investigated for other potential affected projects
2009-02-05: vendor supplied patch
2009-02-05: indicated that no other open source projects appear affected
2009-02-05: emailed vendor-sec@lst.de as a cross-check
2009-02-06: supplied vulnerability analysis to upstream vendor
2009-02-06: walked through affected code with upstream vendor
2009-02-06: CVE assignment requested and assigned
2009-02-07: advisory release

References:
pvmp3_huffman_parsing.cpp
pvmp3_mpeg2_stereo_proc.cpp
OpenCORE 2.0 submission
Android Git Repository

Permalink:
http://www.ocert.org/advisories/ocert-2009-002.html

© oCERT.org - Some rights reserved.