FAQs
English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

UAF of AMediaFormat in Android Automotive

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

UAF of AMediaFormat in Android Automotive

‎01-19-2024 05:11 AM
294 Views
dmitry_sidorenkov
Contributor III

Using NXP Android automotive 12.1 found an UAF.
I could not find out a github to create a PR or NXP's Android bugs forum.

soc: imx8qm
linux: 5.15.52

Root cause:
AMediaFormat_delete(extractor_meta) deletes a String8 field of extractor_meta, then it is implicitly used in strcasecmp via containerMime at the next line.

Fix:
Move deleting below then strcasecmp

 

--- a/extractor/ImxExtractor.cpp
+++ b/extractor/ImxExtractor.cpp
@@ -111,10 +111,10 @@ ImxMediaSource::ImxMediaSource(ImxExtractor *extractor, size_t index, AMediaForm
     if(AMEDIA_OK == mExtractor->getMetaData(extractor_meta)){
         AMediaFormat_getString(extractor_meta, AMEDIAFORMAT_KEY_MIME, &containerMime);
     }
-    AMediaFormat_delete(extractor_meta);
 
     mIsVorbis = containerMime != NULL && !strcasecmp(containerMime, MEDIA_MIMETYPE_CONTAINER_MATROSKA) && !strcasecmp(mime, MEDIA_MIMETYPE_AUDIO_VORBIS);
     mIsMP4 = containerMime != NULL && !strcasecmp(containerMime, MEDIA_MIMETYPE_CONTAINER_MPEG4);
+    AMediaFormat_delete(extractor_meta);
 
     mNALLengthSize = 0;
     mBufferSize = 0;

 

Labels (1)
Labels
0 Kudos
Reply
0 Replies