In extract3GPPGlobalDescriptions of TextDescriptions.cpp, there is a possible out of bounds read due to an integer overflow. This could lead to local information disclosure from the media server with no additional execution privileges needed. User interaction is not needed for exploitation.
{ "vanir_signatures": [ { "digest": { "length": 2780.0, "function_hash": "50675638291051841526738330140886205029" }, "id": "ASB-A-233735886-673a1ae7", "source": "https://android.googlesource.com/platform/frameworks/av/+/b63d4e785ba4d896bbbd50d4f09bda13294926af", "deprecated": false, "signature_version": "v1", "target": { "file": "media/libstagefright/timedtext/TextDescriptions.cpp", "function": "TextDescriptions::extract3GPPGlobalDescriptions" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "229386592317417695301799087523203399799", "109219931390342791495629278406969013539", "198744136753815729415861381615626259319", "237196193812767868580563222050800769717" ] }, "id": "ASB-A-233735886-ae1819fc", "source": "https://android.googlesource.com/platform/frameworks/av/+/b63d4e785ba4d896bbbd50d4f09bda13294926af", "deprecated": false, "signature_version": "v1", "target": { "file": "media/libstagefright/timedtext/TextDescriptions.cpp" }, "signature_type": "Line" } ], "fixes": [ "https://android.googlesource.com/platform/frameworks/av/+/b63d4e785ba4d896bbbd50d4f09bda13294926af" ], "spl": "2022-09-01", "severity": "High", "types": [ "ID" ] }
{ "vanir_signatures": [ { "digest": { "threshold": 0.9, "line_hashes": [ "229386592317417695301799087523203399799", "109219931390342791495629278406969013539", "198744136753815729415861381615626259319", "237196193812767868580563222050800769717" ] }, "id": "ASB-A-233735886-37659871", "source": "https://android.googlesource.com/platform/frameworks/av/+/b63d4e785ba4d896bbbd50d4f09bda13294926af", "deprecated": false, "signature_version": "v1", "target": { "file": "media/libstagefright/timedtext/TextDescriptions.cpp" }, "signature_type": "Line" }, { "digest": { "length": 2780.0, "function_hash": "50675638291051841526738330140886205029" }, "id": "ASB-A-233735886-f28df4bc", "source": "https://android.googlesource.com/platform/frameworks/av/+/b63d4e785ba4d896bbbd50d4f09bda13294926af", "deprecated": false, "signature_version": "v1", "target": { "file": "media/libstagefright/timedtext/TextDescriptions.cpp", "function": "TextDescriptions::extract3GPPGlobalDescriptions" }, "signature_type": "Function" } ], "fixes": [ "https://android.googlesource.com/platform/frameworks/av/+/b63d4e785ba4d896bbbd50d4f09bda13294926af" ], "spl": "2022-09-01", "severity": "High", "types": [ "ID" ] }
{ "vanir_signatures": [ { "digest": { "length": 2780.0, "function_hash": "50675638291051841526738330140886205029" }, "id": "ASB-A-233735886-689245c8", "source": "https://android.googlesource.com/platform/frameworks/av/+/b63d4e785ba4d896bbbd50d4f09bda13294926af", "deprecated": false, "signature_version": "v1", "target": { "file": "media/libstagefright/timedtext/TextDescriptions.cpp", "function": "TextDescriptions::extract3GPPGlobalDescriptions" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "229386592317417695301799087523203399799", "109219931390342791495629278406969013539", "198744136753815729415861381615626259319", "237196193812767868580563222050800769717" ] }, "id": "ASB-A-233735886-98a328bb", "source": "https://android.googlesource.com/platform/frameworks/av/+/b63d4e785ba4d896bbbd50d4f09bda13294926af", "deprecated": false, "signature_version": "v1", "target": { "file": "media/libstagefright/timedtext/TextDescriptions.cpp" }, "signature_type": "Line" } ], "fixes": [ "https://android.googlesource.com/platform/frameworks/av/+/b63d4e785ba4d896bbbd50d4f09bda13294926af" ], "spl": "2022-09-01", "severity": "High", "types": [ "ID" ] }