Multiple Vulnerabilities in OMX Allow Memory Corruption of MediaServer (CVE-2016-2477, CVE-2016-2478, CVE-2016-2480, CVE-2016-2482)

Release Date:

June 17, 2016

Affected Projects:

Android for MSMFirefox OS for MSMQRD Android

Advisory ID:

QCIR-2016-00015-1

CVE ID(s):

CVE-2016-2477CVE-2016-2478CVE-2016-2480CVE-2016-2482

Summary:

CVE-2016-2477, CVE-2016-2478 Function omx_vdec::set_config() doesn't validate the input "configData". This could lead to out-of-bounds access in the heap of MediaServer. Vulnerability: CWE-120 Buffer Copy Without Checking Size of Input (Classic Buffer Overflow) --- CVE-2016-2480 The Set/Get Config/Param functions do not validate the source of the parameters. When the size of source data is less than the params being handled at native layer, heap overflow occurs. Vulnerability: CWE-120 Buffer Copy Without Checking Size of Input (Classic Buffer Overflow) --- CVE-2016-2482 The omx_vdec::set_parameter function allows user to set the 'drv_ctx.ip_buf.actualcount' without checking the max value. In addition, this creates an inconsistency if a buffer based on this value has already been allocated. Vulnerability: CWE-129 (Improper Validation of Array Index)

Access Vector: Local
Security Risk: High
Access Vector: Local

Affected Versions:

All Android releases from CAF using the following heads: KitKat, Lollipop, Marshmallow

Patch:
Acknowledgement:

This issue was reported to Google by a security researcher. Qualcomm Innovation Center, Inc. (QuIC) thanks Google for bringing this issue to QuIC's attention.

Revisions:

Initial

Contact:

security-advisory@quicinc.com