exploit-db-mirror/exploits/android/dos/41981.txt

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1102

In both of the following functions
mkvparser::AudioTrack::AudioTrack(mkvparser::Segment*, mkvparser::Track::Info const&, long long, long long)
mkvparser::VideoTrack::VideoTrack(mkvparser::Segment*, mkvparser::Track::Info const&, long long, long long)

During EBML node parsing the EBML element_size is used unvalidated to allocate a
stack buffer to store the element contents. Since calls to alloca simply compile
to a subtraction from the current stack pointer, for large sizes this can result
in memory corruption and potential remote-code-execution in the mediaserver 
process.

Tested on an LG-G4 with the latest firmware available for my device; MRA58K.

See attached for crash samples and the original unmodified file.

(audio_track.mkv)

Build fingerprint: 'lge/p1_global_com/p1:6.0/MRA58K/1624210305d45:user/release-keys'
Revision: '11'
ABI: 'arm'
pid: 16668, tid: 16986, name: pd_session  >>> /system/bin/mediaserver <<<
AM write failed: Broken pipe
signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x2e924108
    r0 c01db33f  r1 efd34940  r2 0000022c  r3 2e924118
    r4 f1449d80  r5 eeaff4d0  r6 eeaff470  r7 eeaff458
    r8 f144f228  r9 00000000  sl 0000022c  fp 00000000
    ip 00000000  sp 2e924108  lr efd2afeb  pc efd2b2c0  cpsr 800f0030

backtrace:
    #00 pc 000122c0  /system/lib/liblg_parser_mkv.so (_ZN9mkvparser10AudioTrackC1EPNS_7SegmentERKNS_5Track4InfoExx+123)
    #01 pc 0001247b  /system/lib/liblg_parser_mkv.so (_ZN9mkvparser6Tracks15ParseTrackEntryExxRPNS_5TrackExx+222)
    #02 pc 00012635  /system/lib/liblg_parser_mkv.so (_ZN9mkvparser6TracksC1EPNS_7SegmentExxxx+372)
    #03 pc 000128a9  /system/lib/liblg_parser_mkv.so (_ZN9mkvparser7Segment12ParseHeadersEv+552)
    #04 pc 0000c821  /system/lib/liblg_parser_mkv.so (_ZN12MkvExtractorC1EP11IDataSourceb+132)
    #05 pc 00009d01  /system/lib/liblg_parser_mkv.so (_ZN9MKVParser4OpenEP11IDataSource+56)
    #06 pc 000271f9  /system/lib/libLGParserOSAL.so (_ZN7android14LGMKVExtractorC2ERKNS_2spINS_10DataSourceEEE+200)
    #07 pc 00022a85  /system/lib/libLGParserOSAL.so (_ZN7android15LGExtractorOSAL17CreateLGExtractorERKNS_2spINS_10DataSourceEEEPKcRKNS1_INS_8AMessageEEE+68)
    #08 pc 000c033b  /system/lib/libstagefright.so (_ZN7android14MediaExtractor6CreateERKNS_2spINS_10DataSourceEEEPKc+242)
    #09 pc 0005a209  /system/lib/liblgesourceplugin.so (_ZN7android9PDSession18initFromDataSourceEv+312)
    #10 pc 0005d1bf  /system/lib/liblgesourceplugin.so (_ZN7android9PDSession14onPrepareAsyncEv+490)
    #11 pc 0005d471  /system/lib/liblgesourceplugin.so (_ZN7android9PDSession17onMessageReceivedERKNS_2spINS_8AMessageEEE+68)
    #12 pc 0000b309  /system/lib/libstagefright_foundation.so (_ZN7android8AHandler14deliverMessageERKNS_2spINS_8AMessageEEE+16)
    #13 pc 0000d2ef  /system/lib/libstagefright_foundation.so (_ZN7android8AMessage7deliverEv+54)
    #14 pc 0000bd15  /system/lib/libstagefright_foundation.so (_ZN7android7ALooper4loopEv+224)
    #15 pc 000100d1  /system/lib/libutils.so (_ZN7android6Thread11_threadLoopEPv+112)
    #16 pc 0003f9ab  /system/lib/libc.so (_ZL15__pthread_startPv+30)
    #17 pc 0001a0c5  /system/lib/libc.so (__start_thread+6)

(video_track.mkv)

pid: 18217, tid: 18508, name: pd_session  >>> /system/bin/mediaserver <<<
signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x2ae64110
    r0 c01db33f  r1 efd5e940  r2 000001bd  r3 00000000
AM write failed: Broken pipe
    r4 eb03f4d0  r5 f1409b40  r6 eb03f470  r7 eb03f460
    r8 f140f360  r9 2ae64120  sl c01db4fc  fp 00000000
    ip efd5ee80  sp 2ae64110  lr efd54feb  pc efd5517a  cpsr 800f0030

backtrace:
    #00 pc 0001217a  /system/lib/liblg_parser_mkv.so (_ZN9mkvparser10VideoTrackC1EPNS_7SegmentERKNS_5Track4InfoExx+113)
    #01 pc 00012449  /system/lib/liblg_parser_mkv.so (_ZN9mkvparser6Tracks15ParseTrackEntryExxRPNS_5TrackExx+172)
    #02 pc 00012635  /system/lib/liblg_parser_mkv.so (_ZN9mkvparser6TracksC1EPNS_7SegmentExxxx+372)
    #03 pc 000128a9  /system/lib/liblg_parser_mkv.so (_ZN9mkvparser7Segment12ParseHeadersEv+552)
    #04 pc 0000c821  /system/lib/liblg_parser_mkv.so (_ZN12MkvExtractorC1EP11IDataSourceb+132)
    #05 pc 00009d01  /system/lib/liblg_parser_mkv.so (_ZN9MKVParser4OpenEP11IDataSource+56)
    #06 pc 000271f9  /system/lib/libLGParserOSAL.so (_ZN7android14LGMKVExtractorC2ERKNS_2spINS_10DataSourceEEE+200)
    #07 pc 00022a85  /system/lib/libLGParserOSAL.so (_ZN7android15LGExtractorOSAL17CreateLGExtractorERKNS_2spINS_10DataSourceEEEPKcRKNS1_INS_8AMessageEEE+68)
    #08 pc 000c033b  /system/lib/libstagefright.so (_ZN7android14MediaExtractor6CreateERKNS_2spINS_10DataSourceEEEPKc+242)
    #09 pc 0005a209  /system/lib/liblgesourceplugin.so (_ZN7android9PDSession18initFromDataSourceEv+312)
    #10 pc 0005d1bf  /system/lib/liblgesourceplugin.so (_ZN7android9PDSession14onPrepareAsyncEv+490)
    #11 pc 0005d471  /system/lib/liblgesourceplugin.so (_ZN7android9PDSession17onMessageReceivedERKNS_2spINS_8AMessageEEE+68)
    #12 pc 0000b309  /system/lib/libstagefright_foundation.so (_ZN7android8AHandler14deliverMessageERKNS_2spINS_8AMessageEEE+16)
    #13 pc 0000d2ef  /system/lib/libstagefright_foundation.so (_ZN7android8AMessage7deliverEv+54)
    #14 pc 0000bd15  /system/lib/libstagefright_foundation.so (_ZN7android7ALooper4loopEv+224)
    #15 pc 000100d1  /system/lib/libutils.so (_ZN7android6Thread11_threadLoopEPv+112)
    #16 pc 0003f9ab  /system/lib/libc.so (_ZL15__pthread_startPv+30)
    #17 pc 0001a0c5  /system/lib/libc.so (__start_thread+6)


Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/41981.zip