xorl %eax, %eax

CVE-2009-3377: Mozilla Firefox liboggz Memory Corruption

leave a comment »

This vulnerability which was released in MFSA-2009-63 was discovered by Georgi Guninski and it affects Mozilla Firefox 3.5 prior to 3.5.4 release. The vulnerable code resides in media/liboggz/src/liboggz/ directory. Specifically, file dirac.c includes the following…

int
dirac_parse_info (dirac_info *info, unsigned char * data, long len)
{
  dirac_bs_t bs;
  ogg_uint32_t video_format;
      ...
  static const struct {
    ogg_uint32_t width, height;
  } dirac_fsize_tbl[] = { /* table 10.3 framesize */
    {640,460}, {24,1}, {176,120}, {352,240}, {352,288},
    {704,480}, {704,576}, {720,480}, {720,576},
    {1280, 720}, {1280, 720}, {1920, 1080}, {1920, 1080},
    {1920, 1080}, {1920, 1080}, {2048, 1080}, {4096, 2160}
  };
      ...
  info->video_format = video_format = dirac_uint( &bs ); /* index */

  info->width = dirac_fsize_tbl[video_format].width;
  info->height = dirac_fsize_tbl[video_format].height;
  if (dirac_bool( &bs )) {
    info->width = dirac_uint( &bs ); /* frame_width */
    info->height = dirac_uint( &bs ); /* frame_height */
  }
      ...
   return 0;
}

It is quite obvious that the video format integer which was initialized using dirac_uint() is being used directly as an index to the ‘dirac_fsize_tbl[]’ array without being checked. This means that a specially crafted OGG file could use some value beyond the allowed ones as video format in order to trigger this memory corruption.
To fix this, the patch was fairly simple as you can see below.

  info->level = dirac_uint( &bs ); /* level */
  info->video_format = video_format = dirac_uint( &bs ); /* index */

+ if (video_format >= (sizeof(dirac_fsize_tbl) / sizeof(dirac_fsize_tbl[0]))) {
+   return -1;
+ }
+
  info->width = dirac_fsize_tbl[video_format].width;
  info->height = dirac_fsize_tbl[video_format].height;

By doing so, video formats beyond the boundaries of ‘dirac_fsize_tbl[]’ array will be discarded immediately by returning with -1.

Written by xorl

November 12, 2009 at 21:46

Posted in bugs

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s