4
edits
Changes
→PPC userspace exploits
Line 17:
Line 17:
When joining an array of strings, the lengths of the strings are summed to calculate the needed storage space. This summation is vulnerable to an integer overflow, which enables a heap overflow. As a result, a sprayed value from Javascript ends up as a vtable pointer, which can be used with a forged vtable to start a ROP chain. More information [http://googleprojectzero.blogspot.com/2014/07/pwn4fun-spring-2014-safari-part-i_24.html here].
When joining an array of strings, the lengths of the strings are summed to calculate the needed storage space. This summation is vulnerable to an integer overflow, which enables a heap overflow. As a result, a sprayed value from Javascript ends up as a vtable pointer, which can be used with a forged vtable to start a ROP chain. More information [http://googleprojectzero.blogspot.com/2014/07/pwn4fun-spring-2014-safari-part-i_24.html here].
+
+===Stagefright ‘stsc’(?) MP4 atom integer overflow===
+'''Present in system versions''': 5.4.0-5.5.0 (possibly older versions, too)
+
+'''Publicly exploited''': Yes
+
+'''Discovered by''': zhuowei, Marionumber1 and Mathew_Wi
+
+Documented libstagefright MP4 integer overflow.
+
+===Stagefright ‘tx3g’ MP4 atom integer overflow===
+'''Present in system versions''': 5.3.2-5.5.1 (possibly older versions, too)
+
+'''Publicly exploited''': Yes (wiiu_browserhax_fright)
+
+'''Discovered by''': yellows8
+
+Documented libstagefright MP4 integer overflow.
==PPC kernel exploits==
==PPC kernel exploits==