Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=523
- The attached file causes a crash in ih264d_process_intra_mb in avc parsing, likely due to incorrect bounds checking in one of the memcpy or memset calls in the method.
- The file crashes with the following stack trace in M:
- 09-08 15:51:01.212 8488 8951 F libc : Fatal signal 11 (SIGSEGV), code 1, fault addr 0x0 in tid 8951 (le.h264.decoder)
- 09-08 15:51:01.313 198 198 F DEBUG : *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
- 09-08 15:51:01.313 198 198 F DEBUG : Build fingerprint: 'google/hammerhead/hammerhead:6.0/MRA58G/2228996:userdebug/dev-keys'
- 09-08 15:51:01.313 198 198 F DEBUG : Revision: '0'
- 09-08 15:51:01.313 198 198 F DEBUG : ABI: 'arm'
- 09-08 15:51:01.313 198 198 F DEBUG : pid: 8488, tid: 8951, name: le.h264.decoder >>> /system/bin/mediaserver <<<
- 09-08 15:51:01.313 198 198 F DEBUG : signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x0
- 09-08 15:51:01.317 796 938 W NativeCrashListener: Couldn't find ProcessRecord for pid 8488
- 09-08 15:51:01.322 198 198 F DEBUG : r0 ad7877e0 r1 b21cabf8 r2 00000001 r3 00000220
- 09-08 15:51:01.322 198 198 E DEBUG : AM write failed: Broken pipe
- 09-08 15:51:01.322 198 198 F DEBUG : r4 000000c5 r5 0000000a r6 00000000 r7 00000005
- 09-08 15:51:01.322 198 198 F DEBUG : r8 b3098400 r9 b21cabf8 sl 00000001 fp 00000220
- 09-08 15:51:01.322 198 198 F DEBUG : ip b3099bbc sp ad7876a0 lr b1c38ab7 pc 00000000 cpsr 200d0010
- 09-08 15:51:01.329 198 198 F DEBUG :
- 09-08 15:51:01.329 198 198 F DEBUG : backtrace:
- 09-08 15:51:01.329 198 198 F DEBUG : #00 pc 00000000 <unknown>
- 09-08 15:51:01.329 198 198 F DEBUG : #01 pc 00018ab5 /system/lib/libstagefright_soft_avcdec.so (ih264d_process_intra_mb+2544)
- 09-08 15:51:01.329 198 198 F DEBUG : #02 pc 0000de03 /system/lib/libstagefright_soft_avcdec.so (ih264d_recon_deblk_slice+610)
- 09-08 15:51:01.329 198 198 F DEBUG : #03 pc 0000e0b9 /system/lib/libstagefright_soft_avcdec.so (ih264d_recon_deblk_thread+64)
- 09-08 15:51:01.329 198 198 F DEBUG : #04 pc 0003f3e7 /system/lib/libc.so (__pthread_start(void*)+30)
- 09-08 15:51:01.329 198 198 F DEBUG : #05 pc 00019b43 /system/lib/libc.so (__start_thread+6)
- 09-08 15:51:01.627 198 198 F DEBUG :
- 09-08 15:51:01.627 198 198 F DEBUG : Tombstone written to: /data/tombstones/tombstone_02
- It crashes with the following trace in L:
- W/NativeCrashListener( 2256): Couldn't find ProcessRecord for pid 26174
- I/DEBUG ( 6837): *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
- E/DEBUG ( 6837): AM write failure (32 / Broken pipe)
- I/DEBUG ( 6837): Build fingerprint: 'google/shamu/shamu:5.1.1/LYZ28K/2168912:user/release-keys'
- I/DEBUG ( 6837): Revision: '33696'
- I/DEBUG ( 6837): ABI: 'arm'
- I/DEBUG ( 6837): pid: 26174, tid: 7029, name: le.h264.decoder >>> /system/bin/mediaserver <<<
- I/DEBUG ( 6837): signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x0
- I/DEBUG ( 6837): r0 0000000f r1 ffffffff r2 af2e286c r3 00000007
- I/DEBUG ( 6837): r4 af2e286c r5 00000010 r6 00000000 r7 00000000
- I/DEBUG ( 6837): r8 0d452c00 r9 af2fc9c8 sl a36c81f7 fp 1e1a8a58
- I/DEBUG ( 6837): ip ffffffff sp af2e2840 lr 0000000f pc af2ea8f0 cpsr 800c0010
- I/DEBUG ( 6837):
- I/DEBUG ( 6837): backtrace:
- I/DEBUG ( 6837): #00 pc 000078f0 /system/lib/libstagefright_soft_h264dec.so
- I/DEBUG ( 6837): #01 pc 0000000d <unknown>
- I/DEBUG ( 6837):
- I/DEBUG ( 6837): Tombstone written to: /data/tombstones/tombstone_09
- To reproduce the issue, download the attached file, and wait for it to be thumbnailed. This can be triggered by opening the downloads folder in the Photos application.
- Reported to Android here: https://code.google.com/p/android/issues/detail?id=185644
- Proof of Concept:
- https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39651.zip
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement