In DecodeFrameCombinedMode of combined_decode.cpp, there is a possible out of bounds write due to a heap buffer overflow. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for exploitation.
{ "vanir_signatures": [ { "digest": { "threshold": 0.9, "line_hashes": [ "334726445611040651805308518657547502328", "302165643461263201211534998004767159937", "226269220506570919067913862504097789007", "207993031518915275674796219289714529616", "61525047071483516889569781706181810859", "70006150308981293561223273089275553736", "256576577570968665084339381138057802861" ] }, "id": "ASB-A-152496149-58887e11", "source": "https://android.googlesource.com/platform/frameworks/av/+/b875a5fe0db2e2d4bf44746bb8ca4dc1e959925e", "deprecated": false, "signature_version": "v1", "target": { "file": "media/libstagefright/codecs/m4v_h263/dec/src/vop.cpp" }, "signature_type": "Line" }, { "digest": { "length": 10648.0, "function_hash": "288748447126358271450202249967440015477" }, "id": "ASB-A-152496149-a3763bb8", "source": "https://android.googlesource.com/platform/frameworks/av/+/b875a5fe0db2e2d4bf44746bb8ca4dc1e959925e", "deprecated": false, "signature_version": "v1", "target": { "file": "media/libstagefright/codecs/m4v_h263/dec/src/vop.cpp", "function": "DecodeVOLHeader" }, "signature_type": "Function" } ], "fixes": [ "https://android.googlesource.com/platform/frameworks/av/+/b875a5fe0db2e2d4bf44746bb8ca4dc1e959925e" ], "spl": "2020-09-01", "severity": "Critical", "types": [ "RCE" ] }
{ "vanir_signatures": [ { "digest": { "threshold": 0.9, "line_hashes": [ "334726445611040651805308518657547502328", "302165643461263201211534998004767159937", "226269220506570919067913862504097789007", "207993031518915275674796219289714529616", "61525047071483516889569781706181810859", "70006150308981293561223273089275553736", "256576577570968665084339381138057802861" ] }, "id": "ASB-A-152496149-02beaeb9", "source": "https://android.googlesource.com/platform/frameworks/av/+/b875a5fe0db2e2d4bf44746bb8ca4dc1e959925e", "deprecated": false, "signature_version": "v1", "target": { "file": "media/libstagefright/codecs/m4v_h263/dec/src/vop.cpp" }, "signature_type": "Line" }, { "digest": { "length": 10648.0, "function_hash": "288748447126358271450202249967440015477" }, "id": "ASB-A-152496149-deddc686", "source": "https://android.googlesource.com/platform/frameworks/av/+/b875a5fe0db2e2d4bf44746bb8ca4dc1e959925e", "deprecated": false, "signature_version": "v1", "target": { "file": "media/libstagefright/codecs/m4v_h263/dec/src/vop.cpp", "function": "DecodeVOLHeader" }, "signature_type": "Function" } ], "fixes": [ "https://android.googlesource.com/platform/frameworks/av/+/b875a5fe0db2e2d4bf44746bb8ca4dc1e959925e" ], "spl": "2020-09-01", "severity": "Critical", "types": [ "RCE" ] }
{ "vanir_signatures": [ { "digest": { "length": 10648.0, "function_hash": "288748447126358271450202249967440015477" }, "id": "ASB-A-152496149-21ce42d7", "source": "https://android.googlesource.com/platform/frameworks/av/+/b875a5fe0db2e2d4bf44746bb8ca4dc1e959925e", "deprecated": false, "signature_version": "v1", "target": { "file": "media/libstagefright/codecs/m4v_h263/dec/src/vop.cpp", "function": "DecodeVOLHeader" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "334726445611040651805308518657547502328", "302165643461263201211534998004767159937", "226269220506570919067913862504097789007", "207993031518915275674796219289714529616", "61525047071483516889569781706181810859", "70006150308981293561223273089275553736", "256576577570968665084339381138057802861" ] }, "id": "ASB-A-152496149-b385b279", "source": "https://android.googlesource.com/platform/frameworks/av/+/b875a5fe0db2e2d4bf44746bb8ca4dc1e959925e", "deprecated": false, "signature_version": "v1", "target": { "file": "media/libstagefright/codecs/m4v_h263/dec/src/vop.cpp" }, "signature_type": "Line" } ], "fixes": [ "https://android.googlesource.com/platform/frameworks/av/+/b875a5fe0db2e2d4bf44746bb8ca4dc1e959925e" ], "spl": "2020-09-01", "severity": "Critical", "types": [ "RCE" ] }
{ "vanir_signatures": [ { "digest": { "threshold": 0.9, "line_hashes": [ "334726445611040651805308518657547502328", "302165643461263201211534998004767159937", "226269220506570919067913862504097789007", "207993031518915275674796219289714529616", "61525047071483516889569781706181810859", "70006150308981293561223273089275553736", "256576577570968665084339381138057802861" ] }, "id": "ASB-A-152496149-410df9d8", "source": "https://android.googlesource.com/platform/frameworks/av/+/b875a5fe0db2e2d4bf44746bb8ca4dc1e959925e", "deprecated": false, "signature_version": "v1", "target": { "file": "media/libstagefright/codecs/m4v_h263/dec/src/vop.cpp" }, "signature_type": "Line" }, { "digest": { "length": 10648.0, "function_hash": "288748447126358271450202249967440015477" }, "id": "ASB-A-152496149-6720f5a7", "source": "https://android.googlesource.com/platform/frameworks/av/+/b875a5fe0db2e2d4bf44746bb8ca4dc1e959925e", "deprecated": false, "signature_version": "v1", "target": { "file": "media/libstagefright/codecs/m4v_h263/dec/src/vop.cpp", "function": "DecodeVOLHeader" }, "signature_type": "Function" } ], "fixes": [ "https://android.googlesource.com/platform/frameworks/av/+/b875a5fe0db2e2d4bf44746bb8ca4dc1e959925e" ], "spl": "2020-09-01", "severity": "High", "types": [ "ID" ] }