Multiple Vulnerabilities in OMX Allow Memory Corruption of MediaServer (CVE-2016-3746, CVE-2016-3747)

Release Date:

August 4, 2016

Affected Projects:

Android for MSM Firefox OS for MSM QRD Android

Advisory ID:

QCIR-2016-00028-1

CVE ID(s):

CVE-2016-3746 CVE-2016-3747

Summary:

CVE-2016-3746: In the libomxvdec library, specifically crafted requests can trick a thread to read a buffer that has been previously freed by another thread. CVE-2016-3747: In the libomxvenc library, specifically crafted requests can trick a thread to read a buffer that has been previously freed by another thread.

Access Vector: Local

Security Risk: High

Access Vector: Local

Affected Versions:

All Android releases from CAF using the following heads: KitKat, Lollipop, Marshmallow

Patch:

CVE-2016-3746:
https://source.codeaurora.org/quic/la//platform/hardware/qcom/media/commit/?id=c2e66c4ee83b4264d691d8aaabb2e94744df1e25

CVE-2016-3747:
https://source.codeaurora.org/quic/la//platform/hardware/qcom/media/commit/?id=905826825e4459c0dfc9d6475e950d6be3a16fc7

Acknowledgement:

This issue was reported to Google by a security researcher. Qualcomm Innovation Center, Inc. (QuIC) thanks Google for bringing this issue to QuIC's attention.

Revisions:

Initial revision

Contact:

security-advisory@quicinc.com