Android - ih264d_process_intra_mb Memory Corruption

1. Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=523
2.  
3. The attached file causes a crash in ih264d_process_intra_mb in avc parsing, likely due to incorrect bounds checking in one of the memcpy or memset calls in the method.
4.  
5. The file crashes with the following stack trace in M:
6.  
7. 09-08 15:51:01.212 8488 8951 F libc : Fatal signal 11 (SIGSEGV), code 1, fault addr 0x0 in tid 8951 (le.h264.decoder)
8. 09-08 15:51:01.313 198 198 F DEBUG : *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
9. 09-08 15:51:01.313 198 198 F DEBUG : Build fingerprint: 'google/hammerhead/hammerhead:6.0/MRA58G/2228996:userdebug/dev-keys'
10. 09-08 15:51:01.313 198 198 F DEBUG : Revision: '0'
11. 09-08 15:51:01.313 198 198 F DEBUG : ABI: 'arm'
12. 09-08 15:51:01.313 198 198 F DEBUG : pid: 8488, tid: 8951, name: le.h264.decoder >>> /system/bin/mediaserver <<<
13. 09-08 15:51:01.313 198 198 F DEBUG : signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x0
14. 09-08 15:51:01.317 796 938 W NativeCrashListener: Couldn't find ProcessRecord for pid 8488
15. 09-08 15:51:01.322 198 198 F DEBUG : r0 ad7877e0 r1 b21cabf8 r2 00000001 r3 00000220
16. 09-08 15:51:01.322 198 198 E DEBUG : AM write failed: Broken pipe
17. 09-08 15:51:01.322 198 198 F DEBUG : r4 000000c5 r5 0000000a r6 00000000 r7 00000005
18. 09-08 15:51:01.322 198 198 F DEBUG : r8 b3098400 r9 b21cabf8 sl 00000001 fp 00000220
19. 09-08 15:51:01.322 198 198 F DEBUG : ip b3099bbc sp ad7876a0 lr b1c38ab7 pc 00000000 cpsr 200d0010
20. 09-08 15:51:01.329 198 198 F DEBUG :
21. 09-08 15:51:01.329 198 198 F DEBUG : backtrace:
22. 09-08 15:51:01.329 198 198 F DEBUG : #00 pc 00000000 <unknown>
23. 09-08 15:51:01.329 198 198 F DEBUG : #01 pc 00018ab5 /system/lib/libstagefright_soft_avcdec.so (ih264d_process_intra_mb+2544)
24. 09-08 15:51:01.329 198 198 F DEBUG : #02 pc 0000de03 /system/lib/libstagefright_soft_avcdec.so (ih264d_recon_deblk_slice+610)
25. 09-08 15:51:01.329 198 198 F DEBUG : #03 pc 0000e0b9 /system/lib/libstagefright_soft_avcdec.so (ih264d_recon_deblk_thread+64)
26. 09-08 15:51:01.329 198 198 F DEBUG : #04 pc 0003f3e7 /system/lib/libc.so (__pthread_start(void*)+30)
27. 09-08 15:51:01.329 198 198 F DEBUG : #05 pc 00019b43 /system/lib/libc.so (__start_thread+6)
28. 09-08 15:51:01.627 198 198 F DEBUG :
29. 09-08 15:51:01.627 198 198 F DEBUG : Tombstone written to: /data/tombstones/tombstone_02
30.  
31. It crashes with the following trace in L:
32.  
33. W/NativeCrashListener( 2256): Couldn't find ProcessRecord for pid 26174
34. I/DEBUG ( 6837): *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
35. E/DEBUG ( 6837): AM write failure (32 / Broken pipe)
36. I/DEBUG ( 6837): Build fingerprint: 'google/shamu/shamu:5.1.1/LYZ28K/2168912:user/release-keys'
37. I/DEBUG ( 6837): Revision: '33696'
38. I/DEBUG ( 6837): ABI: 'arm'
39. I/DEBUG ( 6837): pid: 26174, tid: 7029, name: le.h264.decoder >>> /system/bin/mediaserver <<<
40. I/DEBUG ( 6837): signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x0
41. I/DEBUG ( 6837): r0 0000000f r1 ffffffff r2 af2e286c r3 00000007
42. I/DEBUG ( 6837): r4 af2e286c r5 00000010 r6 00000000 r7 00000000
43. I/DEBUG ( 6837): r8 0d452c00 r9 af2fc9c8 sl a36c81f7 fp 1e1a8a58
44. I/DEBUG ( 6837): ip ffffffff sp af2e2840 lr 0000000f pc af2ea8f0 cpsr 800c0010
45. I/DEBUG ( 6837):
46. I/DEBUG ( 6837): backtrace:
47. I/DEBUG ( 6837): #00 pc 000078f0 /system/lib/libstagefright_soft_h264dec.so
48. I/DEBUG ( 6837): #01 pc 0000000d <unknown>
49. I/DEBUG ( 6837):
50. I/DEBUG ( 6837): Tombstone written to: /data/tombstones/tombstone_09
51.  
52. To reproduce the issue, download the attached file, and wait for it to be thumbnailed. This can be triggered by opening the downloads folder in the Photos application.
53.  
54. Reported to Android here: https://code.google.com/p/android/issues/detail?id=185644
55.  
56.  
57. Proof of Concept:
58. https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39651.zip