CVE-2019-2107- looks scary. Still remember Stagefright and PNG bugs vulns .... With CVE-2019-2107 the decoder/codec runs under mediacodec user andwith properly "crafted" video (with tiles enabled - ps_pps->i1_tiles_enabled_flag) you can possibly do RCE. The codec affected is HVEC (a.k.a H.265and MPEG-H Part 2)#exploit #rce #android #stagefright #cve
More infos
LineageOS (Android):02-1120:18:48.238260260 D FFmpegExtractor: ffmpeg detected media content as'video/hevc'with confidence 0.0802-1120:18:48.239260260 I FFMPEG:[hevc @ 0xb348f000] Invalid tile widths.02-1120:18:48.239260260 I FFMPEG:[hevc @ 0xb348f000] PPS id out of range:002-1120:18:48.240260260 I FFMPEG:[hevc @ 0xb348f000] Invalid tile widths.02-1120:18:48.240260260 I FFMPEG:[hevc @ 0xb348f000] PPS id out of range:002-1120:18:48.240260260 I FFMPEG:[hevc @ 0xb348f000] Error parsing NAL unit #5.02-1120:18:48.240260260 I FFMPEG:[hevc @ 0xb348f000] Invalid tile widths.
mplayer (laptop)id:0[hevc @ 0x7f0bf58a7560]Decoding VPS
[hevc @ 0x7f0bf58a7560]Main profile bitstream
[hevc @ 0x7f0bf58a7560]Decoding SPS
[hevc @ 0x7f0bf58a7560]Main profile bitstream
[hevc @ 0x7f0bf58a7560]Decoding VUI
[hevc @ 0x7f0bf58a7560]Decoding PPS
[hevc @ 0x7f0bf58a7560]Invalid tile widths.[hevc @ 0x7f0bf58a7560]Decoding SEI
[hevc @ 0x7f0bf58a7560]Skipped PREFIX SEI 5[hevc @ 0x7f0bf58a7560]PPS id out of range:0[hevc @ 0x7f0bf58a7560]Error parsing NAL unit #5.
Error while decoding frame!
This stops it when the tile width is bigger than allowed: https://gitlab.freedesktop.org/gstreamer/meson-ports/ffmpeg/blob/ebf648d490448d511b5fe970d76040169e65ef74/libavcodec/hevc_ps.c#L1526
So the check are there.
On stock/google Andoird I think it will use libhevc,not ffmpeg, when using VideoPlayer.
https://www.droidviews.com/enjoy-hevc-h-265-video-playback-on-android/
I have the google codec:
OMX.google.hevc.decoder
I am wondering however why it does not crash ....
Attaching the video (videopoc.mp4) that should trigger this condition:if(value >= ps_sps->i2_pic_wd_in_ctb - start)+{+return IHEVCD_INVALID_HEADER;+}
Maybe somebody have more luck.
More infos 2
Whoooo hooo .... made it :)
Proof of concept isin hevc-crash-poc.mp4, other videos are for non andoird players.
Hvec-"fright"is possible. You can own the mobile by viewing a video with payload. In my example I didn't include real payload.07-1321:50:59.00033513351 I /system/bin/tombstoned: received crash request for pid 2408907-1321:50:59.0062408924089 F DEBUG :************************************************07-1321:50:59.0062408924089 F DEBUG : Build fingerprint:'samsung/hero2ltexx/hero2lte:8.0.0/R16NW/G935FXXS4ESC3:user/release-keys'07-1321:50:59.0062408924089 F DEBUG : Revision:'9'07-1321:50:59.0062408924089 F DEBUG : ABI:'arm64'07-1321:50:59.0062408924089 F DEBUG : pid:24089, tid:24089, name: media.extractor>>> mediaextractor <<<07-1321:50:59.0062408924089 F DEBUG : signal 11(SIGSEGV), code 1(SEGV_MAPERR), fault addr 0x7ccb80005007-1321:50:59.0092408924089 F DEBUG : x0 00000000ffffff36x1 0000000000000000x2 00000000000000f0x3 000000000000000107-1321:50:59.0092408924089 F DEBUG : x4 0000000000000001x5 0000007ccb5df1b8x6 0000007cc927363ex7 0000007cc8e7bd04
07-1321:50:59.0092408924089 F DEBUG : x8 0000000000004170x9 0000000000004160x1000000000ffffffffx110000007ccb7fbef0
07-1321:50:59.0102408924089 F DEBUG : x120000007ccb5d3ce0x13000000000000001ex140000000000000003x150000000000000001
07-1321:50:59.0102408924089 F DEBUG : x160000007cc99f5f50x170000007ccb88885cx180000007ccb566225x190000007ccb562020
07-1321:50:59.0102408924089 F DEBUG : x200000007ccb4f18a0x210000007ccb468c6cx220000000000000000x230000000000000006
07-1321:50:59.0102408924089 F DEBUG : x24000000000000001ex250000000000000094x260000000000004160x270000000000000001
07-1321:50:59.0102408924089 F DEBUG : x280000007ccb55e750x290000007fd6d39d90x300000007cc99c4438
07-1321:50:59.0102408924089 F DEBUG : sp 0000007fd6d39d20pc 0000007cc99c44c4pstate 000000008000000007-1321:50:59.0132408924089 F DEBUG :--
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47119.zip