扫码分享
验证:
体验盒子Source: https://code.google.com/p/google-security-research/issues/detail?id=497
Loading the bitmap bmp_memset.bmp can cause a crash due to a memset writing out of bounds.
I/DEBUG ( 2961): pid: 12383, tid: 12549, name: thread-pool-1>>> com.sec.android.gallery3d <<<
I/DEBUG ( 2961): signal 11 (SIGSEGV), code 2 (SEGV_ACCERR), fault addr 0x89e84000
I/DEBUG ( 2961): x0 0000000089e8117cx1 00000000000000ffx2 00000000177fe13cx3 0000000089e8117c
I/DEBUG ( 2961): x4 0000000000000004x5 0000007f65f42300x6 0000000000000002x7 ffffffffffffffff
I/DEBUG ( 2961): x8 0000000089e83ff0x9 0000007f65f020b0x10000000000000003cx11000000000000003b
I/DEBUG ( 2961): x120000007f65f02080x1300000000ffffffffx140000007f65f02080x1500000000000061e0
I/DEBUG ( 2961): x160000007f6baccc10x170000007f958f8d80x180000007f9596da40x190000007f65f0e180
I/DEBUG ( 2961): x200000007f65f54020x2100000000002f0020x220000000000000020x230000000005e00400
I/DEBUG ( 2961): x240000000000000004x250000007f65f42300x260000000000000020x270000007f65f52080
I/DEBUG ( 2961): x2800000000000001dax290000000013071460x300000007f6ba7e40c
I/DEBUG ( 2961): sp 0000007f66796130pc 0000007f958f8e28pstate 0000000020000000
I/DEBUG ( 2961):
I/DEBUG ( 2961): backtrace:
I/InjectionManager(12532): Inside getClassLibPath caller
I/DEBUG ( 2961): #00 pc 0000000000019e28/system/lib64/libc.so (memset+168)
I/DEBUG ( 2961): #01 pc 0000000000030408/system/lib64/libSecMMCodec.so (sbmpd_decode_rle_complete+64)
I/DEBUG ( 2961): #02 pc 0000000000033440/system/lib64/libSecMMCodec.so (DecodeFile+120)
I/DEBUG ( 2961): #03 pc 000000000000c90c/system/lib64/libSecMMCodec.so (Java_com_sec_samsung_gallery_decoder_SecMMCodecInterface_nativeDecode+436)
I/DEBUG ( 2961): #04 pc 000000000042ec00/system/priv-app/SecGallery2015/arm64/SecGallery2015.odex
To reproduce, download the file and open it in Gallery.
This issue was tested on a SM-G925V device running build number LRX22G.G925VVRU1AOE2.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38613.zip
体验盒子
