There is a memory corruption issue in the MFC media processing core on the Pixel 7. It occurs when decoding a malformed H264 stream in Chrome, likely to due to an out of bounds quantization parameter. A write to plane 0 that occurs during macroblock decoding extends past the allocated bounds of the plane, and can overwrite the motion vector (MV) buffer or cause a crash if the adjacent address is unmapped. Both of these allocations are DMA buffers and it is unclear whether this condition is exploitable.
03533e71b8963179a0ae3ad68550b9e5e705a79dd75292d232b287f1c47b89f6Shannon Baseband suffers from a memory corruption vulnerability that occurs when the baseband modem processes SDP when setting up a call. When an fmtp attribute is parsed, the integer that represents the payload type is copied into an 8-byte buffer using memcpy with the length of payload type as the length parameter. There are no checks that the payload type is less than 8-bytes long or actually an integer.
51aa5a7a2ca1d9308cad99d6da19581180aa08b8653f1c44406c7c5c7dc253b9Shannon Baseband suffers from a memory corruption vulnerability that occurs when the baseband modem processes SDP when setting up a call. SDP supports attributes acfg and pcfg that allow configuration information to be specified as integers. The baseband software allocates a fixed-size buffer for this information, but does not check that the number of integers specified by the SDP is within this bound. This can lead to memory corruption when processing an acfg or pcfg attribute that contains more than 14 format types.
f7237e53d6febca38b353f2be59e9064bb4853fb37c38f9779aa9f273abc1ff6Shannon Baseband suffers from a memory corruption vulnerability that occurs when the baseband modem processes SDP when setting up a call. SDP supports an attribute chatroom that allows multiple chat properties to be specified. The baseband software allocates a fixed-size buffer for these types, but does not check that the number of properties specified by the SDP is within this bound. This can lead to memory corruption when processing a chatroom attribute that contains more than 12 format types.
8cb6ebadee250d2e79ec5b2160d5e18c8dae53fae64e54aa90dddc180b42ce0dShannon Baseband suffers from a memory corruption vulnerability that occurs when the baseband modem processes SDP when setting up a call. SDP supports an attribute accept-type that allows multiple format types to be specified. The baseband software allocates a fixed-size buffer for these types, but does not check that the number of format types specified by the SDP is within this bound. This can lead to memory corruption when processing an accept-type attribute that contains more than 12 format types.
3e5dd3b9a11c7e00afc44d10af02f39c84d18710dc6778f472e078fbfd7d018bIn the function AppleAVDUserClient::decodeFrameFig, a location in the decoder's IOSurface input buffer is calculated, and then bzero is called on it. The size of this IOSurface's allocation is controllable by the userspace caller, so the calculated pointer can go out of bounds, leading to memory corruption. This issue could potentially allow an unprivileged local application to escalate its privileges to the kernel.
a9f971c8dcec3381b92b6bafb61fc99c1b1da326eec460ede2682c51580f3f3eIn AppleAVD.kext, pixel buffers are mapped by calling AppleAVDUserClient::_mapPixelBuffer, which eventually calls AppleAVD::allocateKernelMemoryInternal. If the buffer is an IOSurface, the function calls IOSurface::deviceLockSurface before allocating memory by calling prepare. But when a pixel buffer is unmapped by calling AppleAVDUserClient::_unmapPixelBuffer, which calls AppleAVD::deallocateKernelMemoryInternal, the IOSurface is not locked before calling complete. This means that mapping and unmapping can occur at the same time, leading to kernel memory corruption. This bug could allow escalation to kernel privileges from a local app.
fa06dd34c9fcfaf9f03c6a70c7fd7fc078ff6872d40e76e3295731e58256ce8aThere is a buffer overflow in how AppleAVD.kext parses the ref_pic_list_modification component of H264 slice headers in AVC_RBSP::parseSliceHeader. When pic modification entries are copied into the pic modification list, the loop only terminates when the end code (3) is encountered, meaning that any number of entries can be copied into the fixed size modification buffer. This can corrupt the remainder of the decoder structure, as well as write outside of allocated memory.
f0e86dbff30f8c2f08674e561b12277b9f50b736d022814b1917489c1e9f1d2cAppleVideoDecoder suffers from an out-of-bounds free vulnerability. The attached video file contains a malformed HEVC Decoder Configuration Record that leads to an out-of-bounds free in CreateHeaderBuffer. When copying the VPS, PPS and SPS, the destination pointer is incremented, and if the copied data is larger than the length specified in the input file, it breaks and falls through to a condition that frees the destination pointer, even though it has been incremented. This could free the chunk allocated next to the destination memory.
a49f6411c8b8733ea1c031b562f4509169b737f83ae46d802b8cf4aed5bd1cb1Zoom suffers from an information leak vulnerability in the MMR server.
ceaa806e1faea132492fe57be7bbd693988b712326fabb4aec96193d0e3374d0Zoom suffers from a buffer overflow vulnerability related to the processing of chat message.
a6e816c46fce3985cc7b2b11b9e6f3edebe9b65dcbbbf65037027c3d32e954f0There is a heap corruption bug that can occur when QT processes a malformed TIFF image. It happens because the size of the QImageData backing the image is calculated is calculated using the format of the image, meanwhile TIFFReadScanline calculates the length to be read based on TIFFScanlineSize, which determines the size base on three tags in the TIFF file, width, samples per pixel and bits per sample.
765990ea3bd9f2c14232bcfa3535efba165c1990d1e7949df33a649783e33d0bGstreamer suffers from a use-after-free vulnerability in Matroska demuxing.
c5185c2d6107c05661116151a51a24e93e1142b438889272be0f92a6c3fe8e61The QImage class can read out-of-bounds when reading a specially-crafted PNG file, where a tag byte offset goes out of bounds. This could potentially allow an attacker to determine values in memory based on the QImage pixels, if QT is used to process untrusted images.
f89e3b09d6fb627d5b5269e3b5d3b0c770cd2aefc3bbd97c7b659ae459e07be2The QImageReader class can read out-of-bounds when converting a specially-crafted TIFF file into a QImage, where the TIFF tile length is inconsistent with the tile size. This could potentially allow an attacker to determine values in memory based of the QImage pixels, if QT is used to process untrusted images.
766b77fab4c5903f5bd4ca7cb9d967ba5f26ec50db568fd2f7147cf8314ad4bcFacebook Messenger for Android has an issue where an SdpUpdate message can cause an audio call to connect before the callee has answered the call.
04464f2fe392295e7708a1e61a2b9787bbae3f555ff1d70e748d2bc354c01184A race condition in Google Duo can cause callee to leak video packets from an unanswered call.
75c4a6bf7b5879fefad93fa040fba864edc81a79c13824706bd13a0117456a85Mocha for Android suffers from an issue where a call can cause the callee device to send audio without user interaction.
078a2b1dbfd8b4b095b8a8f5aa7337b720212abfd0a23556c214315335c030beJioChat for Android has an issue where a caller can cause the callee device to send audio without user interaction.
edecbfc8b4a9983d43bc2e09c3718b3a564b9282a9cb1a917263dc101dee08daThere is a stack buffer overflow in usrsctp when a server processes a skipped auth block from an incoming connection. Proof of concept exploit included.
b4818f86982c067d7cd9afcbfcee314e412f968d7d9b859927f8e3573839fad7WebRTC suffers from an out-of-bounds memory write in the method RtpFrameReferenceFinder::UpdateLayerInfoH264. This occurs when updating the layer info with the frame marking extension.
06971daf4e8e1b40696e457b7e355f90460b37a0e0308f2559ba4a2fa0af726fWhen WebRTC processes a packet using FEC, it does not adequately check bounds when zeroing the video timing extension.
157cd64dc55515807088f940f00ae62c6d3ee089d4b0fc465f7fca79aaf47e9ausersctp is SCTP library used by a variety of software including WebRTC. There is a vulnerability in the sctp_load_addresses_from_init function of usersctp that can lead to a number of out-of-bound reads. The input to sctp_load_addresses_from_init is verified by calling sctp_arethere_unrecognized_parameters, however there is a difference in how these functions handle parameter bounds. The function sctp_arethere_unrecognized_parameters does not process a parameter that is partially outside of the limit of the chunk, meanwhile, sctp_load_addresses_from_init will continue processing until a parameter that is entirely outside of the chunk occurs. This means that the last parameter of a chunk is not always verified, which can lead to parameters with very short plen values being processed by sctp_load_addresses_from_init. This can lead to out-of-bounds reads whenever the plen is subtracted from the header len.
97c80f0acd4440a67c9cef234fa02985f9feafd4eb0418feb0ed3a434ae21930libx264 suffers from an out-of-bounds write when converting to H264.
111be6fbb98fc110e6e2b2c9221c300e8a2b5fde3c040bd6803fb5b1d6f39185There is a memory corruption vulnerability in audio processing during a voice call in WeChat. When an RTP packet is processed, there is a call to UnpacketRTP. This function decrements the length of the packet by 12 without checking that the packet has at least 12 bytes in it. This leads to a negative packet length. Then, CAudioJBM::InputAudioFrameToJBM will check that the packet size is smaller than the size of a buffer before calling memcpy, but this check (n < 300) does not consider that the packet length could be negative due to the previous error. This leads to an out-of-bounds copy.
a0b85c6f0d5c0b58add65cb309bf9193d2b63ceb17c68e1f5561d25888f0f991
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed