The latest CTS release for Lollipop (5.1_r10) has add a new security test for stagefright:
class: android.security.cts.StagefrightTest
method: testStagefright_cve_2015_6603
The lib_mp4_parser_arm11_elinux.3.0.so library released with L5.1.1_2.0.0 GA along with the latest library released with M6.0.1_2.1.0 GA fails this test!
The associated android bug is: ANDROID-23227354
Our platform is based off the SabreSD imx6q reference platform with Lollipop L5.1.1_2.0.0 GA (LMY47V) running on it.
The security vulnerability is identified in this Security Bulletin by Google:
https://source.android.com/security/bulletin/2015-10-01.html
The patch for their stagefright code is here: https://android.googlesource.com/platform%2Fframeworks%2Fav/+/c37f7f6fa0cb7f55cdc5b2d4ccbf2c87c3bc6c...
The patch is a simple one line change ensuring that dataSize is not less than 4. Hopefully it can be ported to the NXP mp4 parser library easily.
We would like this patch to be applied to the mp4 parser library specifically for L5.1.1_2.0.0 GA (upgrading to Marshmallow is not an option for us) so that we can pass CTS and improve the BSP's security. Ideally, that new library would be posted directly to this forum.
Below I have provided the device logcat output showing the crash leading to the failed CTS test. It is using the L5.1.1_2.0.0 mp4 parser library. The CTS test fails with the latest Marshmallow (M6.0.1_2.1.0) mp4 parser library too.
09-26 11:54:53.799 23370 23386 I TestRunner: run started: 1 tests
09-26 11:54:53.823 23370 23386 I TestRunner: started: testStagefright_cve_2015_6603(android.security.cts.StagefrightTest)
09-26 11:54:53.827 23370 23386 D CtsTestRunListener: Now executing : android.security.cts.StagefrightTest
09-26 11:54:53.921 22805 22867 I OMXPlayer: Loading content: sharedfd://13:2096212:297050:0
09-26 11:54:53.921 22805 22867 I OMXPlayer: LEVEL: 1 FUNCTION: MediaTypeInspect LINE: 1967
09-26 11:54:53.921 22805 22867 I OMXPlayer: Can't inspect media content type by subfix.
09-26 11:54:53.922 22805 22867 I OMXPlayer: MediaTypeInspectByContent role: parser.mp4
09-26 11:54:53.944 22805 23390 I OMXPlayer: Core parser MPEG4PARSER_06.09.16 build on Jun 29 2015 13:20:04
--------- beginning of crash
09-26 11:54:53.985 22805 23390 F libc : Fatal signal 11 (SIGSEGV), code 1, fault addr 0xb5000000 in tid 23390 (Binder_1)
09-26 11:54:54.089 169 169 I DEBUG : *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
09-26 11:54:54.089 169 169 I DEBUG : Revision: '0'
09-26 11:54:54.089 169 169 I DEBUG : ABI: 'arm'
09-26 11:54:54.089 169 169 I DEBUG : pid: 22805, tid: 23390, name: Binder_1 >>> /system/bin/mediaserver <<<
09-26 11:54:54.089 169 169 I DEBUG : signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0xb5000000
09-26 11:54:54.097 450 1094 W NativeCrashListener: Couldn't find ProcessRecord for pid 22805
09-26 11:54:54.131 169 169 I DEBUG : r0 ffffffff r1 80000000 r2 ffffffff r3 b4c700f0
09-26 11:54:54.131 169 169 E DEBUG : AM write failure (32 / Broken pipe)
09-26 11:54:54.131 169 169 I DEBUG : r4 b44656d0 r5 00000000 r6 0038ff10 r7 0000000e
09-26 11:54:54.131 169 169 I DEBUG : r8 0000000f r9 00000008 sl 0038ff07 fp 00000004
09-26 11:54:54.131 169 169 I DEBUG : ip 00000000 sp b4465660 lr 0038ff06 pc b435d3e4 cpsr 000f0030
09-26 11:54:54.132 169 169 I DEBUG :
09-26 11:54:54.132 169 169 I DEBUG : backtrace:
09-26 11:54:54.132 169 169 I DEBUG : #00 pc 0001f3e4 /system/lib/lib_mp4_parser_arm11_elinux.3.0.so (UnsyncRemoveV2_4+151)
09-26 11:54:54.132 169 169 I DEBUG : #01 pc 0001f539 /system/lib/lib_mp4_parser_arm11_elinux.3.0.so (ID3V2Parse+164)
09-26 11:54:54.132 169 169 I DEBUG : #02 pc 0001dc99 /system/lib/lib_mp4_parser_arm11_elinux.3.0.so
09-26 11:54:54.132 169 169 I DEBUG : #03 pc 0000b6a7 /system/lib/lib_mp4_parser_arm11_elinux.3.0.so (MP4ParseAtomUsingProtoList+534)
09-26 11:54:54.132 169 169 I DEBUG : #04 pc 00009eed /system/lib/lib_mp4_parser_arm11_elinux.3.0.so
09-26 11:54:54.132 169 169 I DEBUG : #05 pc 0000b6a7 /system/lib/lib_mp4_parser_arm11_elinux.3.0.so (MP4ParseAtomUsingProtoList+534)
09-26 11:54:54.132 169 169 I DEBUG : #06 pc 0000f815 /system/lib/lib_mp4_parser_arm11_elinux.3.0.so
09-26 11:54:54.132 169 169 I DEBUG : #07 pc 0000fabf /system/lib/lib_mp4_parser_arm11_elinux.3.0.so (MP4OpenMovieFile+48)
09-26 11:54:54.133 169 169 I DEBUG : #08 pc 00012619 /system/lib/lib_mp4_parser_arm11_elinux.3.0.so
09-26 11:54:54.133 169 169 I DEBUG : #09 pc 00012d15 /system/lib/lib_mp4_parser_arm11_elinux.3.0.so (MP4CreateParser2+236)
09-26 11:54:54.133 169 169 I DEBUG : #10 pc 00003fcd /system/lib/lib_omx_fsl_parser_v2_arm11_elinux.so (_ZN9FslParser14InitCoreParserEv+104)
09-26 11:54:54.133 169 169 I DEBUG : #11 pc 000063d5 /system/lib/lib_omx_fsl_parser_v2_arm11_elinux.so (_ZN9FslParser12InstanceInitEv+112)
09-26 11:54:54.133 169 169 I DEBUG : #12 pc 0000f693 /system/lib/lib_omx_common_v2_arm11_elinux.so (_ZN9IdleState7ToPauseEv+10)
09-26 11:54:54.133 169 169 I DEBUG : #13 pc 0001130d /system/lib/lib_omx_common_v2_arm11_elinux.so (_ZN5State10ProcessCmdEv+136)
09-26 11:54:54.133 169 169 I DEBUG : #14 pc 0000f001 /system/lib/lib_omx_common_v2_arm11_elinux.so (_Z8DoThreadPv+72)
09-26 11:54:54.133 169 169 I DEBUG : #15 pc 00016eb7 /system/lib/libc.so (_ZL15__pthread_startPv+30)
09-26 11:54:54.133 169 169 I DEBUG : #16 pc 00014df3 /system/lib/libc.so (__start_thread+6)
SergioSolis, Provide an answer before Monday.