Android image parsing heap overflow vulnerability analysis(CVE-2 0 1 5-1 5 3 2)-vulnerability warning-the black bar safety net

ID MYHACK58:62201563260
Type myhack58
Reporter 佚名
Modified 2015-06-05T00:00:00


Recently Google disclosed a year 1 month update of the vulnerability. This vulnerability to fix a exist in Android5. 1 version the following picture rendering problems, you can view the related link.

9patch is the Android on a unique kind of Picture format, that is, in the ordinary png images of the basis of the increase in the number of pixels of the frame, so that it has can be arbitrarily stretched, scaled function.

【9patch File format overview]

Front of said to the 9patch files are a special kind of png image, we first take a look under the png file structure.


In the png file at the start of the IS A is called the signature of the thing, i.e. the file signature, a lot of people call it the file header, the length is 8 bytes, the 8 characters of the value is fixed.


The signature is followed by a chunk of the block sequence, each chunk block size is variable, which stores the image data chunk blocks structure is as follows:


The pseudo-code DESCRIPTION is as follows:


In the chunk starting at the chunk length, is defined as a 4 byte big endian integer. The chunk length is just chunkdata length, NOT including itself, the type and the crc length, and therefore the entire chunk block length also need to add the three domain sizes. After a 4-byte sequence of characters, only the English characters representing the chunk block type. Then the chunk data portion, the length from the beginning of the length specified, when the length is 0, This field may not exist. Finally, the entire block of CRC. Back then? Is the next chunk of the block.

Said the following under this article the protagonist of the 9patch files. It is contains type”npTc”chunk of the png file. See google's official definition(which has been filtered is not related to the number Code): A


Take a look at a ordinary 9patch file


This 9patch file npTc block is located in the first IHDR block, the chunk length is 0x20, the data field value is 0, the figure indicated in the numXDivs, the numYDivs and numColors position, in turn can introduce other data field values.

[1] [2] [3] next