Failure to initialise pointers in mkvparser::Tracks constructor

vendor:

LG Parser MKV

by:

Project Zero

8,8

CVSS

HIGH

Failure to initialise pointers

457

CWE

Product Name: LG Parser MKV

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: YES

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Android

2017

Failure to initialise pointers in mkvparser::Tracks constructor

The constructor mkvparser::Tracks::Tracks() fails to handle parsing failures correctly. If the parsing of the Track object fails, the pointers are left uninitialised. Subsequent code will then dereference and use the uninitialised pointers, which can lead to a crash.

Mitigation:

Ensure that the parsing of the Track object is handled correctly and that the pointers are initialised correctly.

Source

Exploit-DB raw data:

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1117

Failure to initialise pointers in mkvparser::Tracks constructor

The constructor mkvparser::Tracks::Tracks() doesn't handle parsing failures correctly.

If we look at the function, it makes allocations in two places; the first where it allocates a temporary array, and the second, where we make the allocation of an array of Track* which we will store in the Tracks object. Note that there is no path in the function which can free the second allocation; if the parsing of the Track object fails in the subsequent code these pointers are left uninitialised.

Subsequent code will then dereference and use the uninitialised pointers. The results of this obviously depend on the state of the heap prior to parsing of the testcase - a commonly occuring crash where a vtable pointer has been read through the bad pointer during destruction of the Tracks object.

Build fingerprint: 'lge/p1_global_com/p1:6.0/MRA58K/1624210305d45:user/release-keys'
Revision: '11'
ABI: 'arm'
pid: 31956, tid: 31904, name: NuPlayerDriver   >>> /system/bin/mediaserver <<<
signal 11 (SIGSEGV), code 2 (SEGV_ACCERR), fault addr 0xf62c9880
    r0 eee45000  r1 f62e4b60  r2 f62c9880  r3 eb1c08a0
AM write failed: Broken pipe
    r4 f1859da0  r5 f15ce05c  r6 f15ce060  r7 f62c9880
    r8 fffdfc60  r9 efc3f5f4  sl 6175644e  fp f6f50c11
    ip eb1c0d18  sp efc3f4c0  lr eb1b19b5  pc f62c9880  cpsr a00f0010

backtrace:
    #00 pc 00049880  [anon:libc_malloc]
    #01 pc 0000c9b3  /system/lib/liblg_parser_mkv.so (_ZN9mkvparser6TracksD1Ev+34)
    #02 pc 0000c9cd  /system/lib/liblg_parser_mkv.so (_ZN9mkvparser6TracksD0Ev+4)
    #03 pc 0001150d  /system/lib/liblg_parser_mkv.so (_ZN9mkvparser7SegmentD1Ev+60)
    #04 pc 0000b015  /system/lib/liblg_parser_mkv.so (_ZN12MkvExtractorD1Ev+10)
    #05 pc 00009449  /system/lib/liblg_parser_mkv.so (_ZN9MKVParser5CloseEv+24)
    #06 pc 0002739b  /system/lib/libLGParserOSAL.so (_ZN7android14LGMKVExtractorD1Ev+38)
    #07 pc 00027425  /system/lib/libLGParserOSAL.so (_ZN7android14LGMKVExtractorD0Ev+4)
    #08 pc 0000e753  /system/lib/libutils.so (_ZNK7android7RefBase9decStrongEPKv+50)
    #09 pc 00027481  /system/lib/libLGParserOSAL.so
    #10 pc 000274d9  /system/lib/libLGParserOSAL.so (_ZN7android14LGMKVExtractor11LGMKVSourceD0Ev+4)
    #11 pc 0000e753  /system/lib/libutils.so (_ZNK7android7RefBase9decStrongEPKv+50)
    #12 pc 000329bd  /system/lib/liblgesourceplugin.so (_ZN7android2spINS_3lge20StreamingBufferQueueEED1Ev+18)
    #13 pc 0005997d  /system/lib/liblgesourceplugin.so (_ZNK7android6VectorINS_2spINS_11MediaSourceEEEE10do_destroyEPvj+12)
    #14 pc 00010b6d  /system/lib/libutils.so (_ZN7android10VectorImpl15release_storageEv+28)
    #15 pc 00010bd9  /system/lib/libutils.so (_ZN7android10VectorImpl13finish_vectorEv+4)
    #16 pc 00058cb7  /system/lib/liblgesourceplugin.so
    #17 pc 0005a695  /system/lib/liblgesourceplugin.so (_ZN7android9PDSessionD1Ev+292)
    #18 pc 0005a6d9  /system/lib/liblgesourceplugin.so (_ZN7android9PDSessionD0Ev+4)
    #19 pc 0000e753  /system/lib/libutils.so (_ZNK7android7RefBase9decStrongEPKv+50)
    #20 pc 00057f69  /system/lib/liblgesourceplugin.so (_ZN7android12HTTPPDSource4stopEv+72)
    #21 pc 0006bc51  /system/lib/libmediaplayerservice.so (_ZN7android8NuPlayer12performResetEv+168)
    #22 pc 0006b103  /system/lib/libmediaplayerservice.so (_ZN7android8NuPlayer22processDeferredActionsEv+90)
    #23 pc 00069ca1  /system/lib/libmediaplayerservice.so (_ZN7android8NuPlayer17onMessageReceivedERKNS_2spINS_8AMessageEEE+4944)
    #24 pc 0000b309  /system/lib/libstagefright_foundation.so (_ZN7android8AHandler14deliverMessageERKNS_2spINS_8AMessageEEE+16)
    #25 pc 0000d2ef  /system/lib/libstagefright_foundation.so (_ZN7android8AMessage7deliverEv+54)
    #26 pc 0000bd15  /system/lib/libstagefright_foundation.so (_ZN7android7ALooper4loopEv+224)
    #27 pc 000100d1  /system/lib/libutils.so (_ZN7android6Thread11_threadLoopEPv+112)
    #28 pc 0003f9ab  /system/lib/libc.so (_ZL15__pthread_startPv+30)
    #29 pc 0001a0c5  /system/lib/libc.so (__start_thread+6)


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/41982.zip