Buffer overflow in ClearKey Content Decryption Module (CDM) during video playback

2016-08-02T00:00:00
ID MFSA2016-77
Type mozilla
Reporter Mozilla Foundation
Modified 2016-08-02T00:00:00

Description

An anonymous security researcher working with Trend Micro's Zero Day Initiative reported a buffer overflow in the ClearKey Content Decryption Module (CDM) used by the Encrypted Media Extensions (EME) API. This vulnerability can be triggered using a malformed video file due to incorrect error handling. This could allow arbitrary code execution if combined with a second vulnerability that allows an escape from the Gecko Media Plugin (GMP) sandbox. Without such a vulnerability, the buffer overflow is contained within the GMP sandbox and cannot be exploited.