Multiple Vulnerabilities in OMX Allow Memory Corruption of MediaServer (CVE-2016-2477, CVE-2016-2478, CVE-2016-2480, CVE-2016-2482)
Release Date:
June 17, 2016
Affected Projects:
Android for MSMFirefox OS for MSMQRD Android
Advisory ID:
QCIR-2016-00015-1
CVE ID(s):
CVE-2016-2477CVE-2016-2478CVE-2016-2480CVE-2016-2482
Summary:
CVE-2016-2477, CVE-2016-2478 Function omx_vdec::set_config() doesn't validate the input "configData". This could lead to out-of-bounds access in the heap of MediaServer. Vulnerability: CWE-120 Buffer Copy Without Checking Size of Input (Classic Buffer Overflow) --- CVE-2016-2480 The Set/Get Config/Param functions do not validate the source of the parameters. When the size of source data is less than the params being handled at native layer, heap overflow occurs. Vulnerability: CWE-120 Buffer Copy Without Checking Size of Input (Classic Buffer Overflow) --- CVE-2016-2482 The omx_vdec::set_parameter function allows user to set the 'drv_ctx.ip_buf.actualcount' without checking the max value. In addition, this creates an inconsistency if a buffer based on this value has already been allocated. Vulnerability: CWE-129 (Improper Validation of Array Index)
Access Vector: Local
Security Risk: High
Access Vector: Local
Affected Versions:
All Android releases from CAF using the following heads: KitKat, Lollipop, Marshmallow
Patch:
We advise customers to apply the following patches:
Individual Patches
CVE-2016-2477, CVE-2016-2478
CVE-2016-2480
CVE-2016-2482
Acknowledgement:
This issue was reported to Google by a security researcher. Qualcomm Innovation Center, Inc. (QuIC) thanks Google for bringing this issue to QuIC's attention.
Revisions:
Initial