13 matches found
LG MRA58K - ASFParser::SetMetaData Stack Overflow
LG MRA58K - ASFParser::SetMetaData Stack Overflow Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1226 There are three variants of the below crash, all of which stemming from an unbound copy into a fixed size stack buffer allocated in the function ASFParser::SetMetaData, used as...
LG MRA58K - ASFParser::ParseHeaderExtensionObjects Missing Bounds-Checking Exploit
Exploit for Android platform in category dos / poc Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1222 There is a memcpy in ASFParser::ParseHeaderExtensionObjects which doesn't check that the size of the copy is smaller than the size of the source buffer, resulting in an...
LG MRA58K - Out-of-Bounds Heap Read in CAVIFileParser::Destroy Resulting in Invalid Free Exploit
Exploit for Android platform in category dos / poc Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1221 Similar to the previously reported issue 1206 , when parsing AVI files the CAVIFileParser object contains a fixed-size array of what appears to be pointer/length pairs, used I...
LG MRA58K - Missing Bounds-Checking in AVI Stream Parsing Exploit
Exploit for Android platform in category dos / poc Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1206 Missing bounds-checking in AVI stream parsing When parsing AVI files, CAVIFileParser uses the stream count from the AVI header to allocate backing storage for storing metadata...
LG MRA58K - Out-of-Bounds Heap Read in CAVIFileParser::Destroy Resulting in Invalid Free
LG MRA58K - Out-of-Bounds Heap Read in CAVIFileParser::Destroy Resulting in Invalid Free Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1221 Similar to the previously reported issue 1206 , when parsing AVI files the CAVIFileParser object contains a fixed-size array of what...
LG MRA58K - 'ASFParser::ParseHeaderExtensionObjects' Missing Bounds-Checking
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1222 There is a memcpy in ASFParser::ParseHeaderExtensionObjects which doesn't check that the size of the copy is smaller than the size of the source buffer, resulting in an out-of-bounds heap read. The vulnerable code appears to b...
LG MRA58K - Out-of-Bounds Heap Read in CAVIFileParser::Destroy Resulting in Invalid Free
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1221 Similar to the previously reported issue 1206 , when parsing AVI files the CAVIFileParser object contains a fixed-size array of what appears to be pointer/length pairs, used I suppose to store the data for each stream. This is...
LG G4 MRA58K - liblg_parser_mkv.so Bad Allocation Calls Exploit
Exploit for Android platform in category dos / poc Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1102 In both of the following functions mkvparser::AudioTrack::AudioTrackmkvparser::Segment, mkvparser::Track::Info const&, long long, long long...
LG G4 MRA58K - 'mkvparser::Block::Block' Heap Buffer Overflow
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1124 There are multiple paths in mkvparser::Block::Block... that result in heap buffer overflows. See attached for sample files that trigger the overflow conditions - these will not reliably crash the process, since the overflows a...
LG G4 MRA58K - liblg_parser_mkv.so Bad Allocation Calls
LG G4 MRA58K - liblgparsermkv.so Bad Allocation Calls Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1102 In both of the following functions mkvparser::AudioTrack::AudioTrackmkvparser::Segment, mkvparser::Track::Info const&, long long, long long...
LG G4 MRA58K - 'liblg_parser_mkv.so' Bad Allocation Calls
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1102 In both of the following functions mkvparser::AudioTrack::AudioTrackmkvparser::Segment, mkvparser::Track::Info const&, long long, long long mkvparser::VideoTrack::VideoTrackmkvparser::Segment, mkvparser::Track::Info const&, lo...
LG G4 - lgdrmserver Binder Service Multiple Race Conditions Vulnerability
Exploit for Android platform in category dos / poc Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=986 The lgdrmserver binder service /system/bin/lgdrmserver implements a handle system to store pointers to objects allocated by the drm implementation /system/lib/liblgdrm.so. In...
LG G4 - lgdrmserver Binder Service Multiple Race Conditions
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=986 The lgdrmserver binder service /system/bin/lgdrmserver implements a handle system to store pointers to objects allocated by the drm implementation /system/lib/liblgdrm.so. In several places, these handles are retrieved from a...