Vulnerabilities > CVE-2009-0475 - Numeric Errors vulnerability in Android Opencore 2.0

047910
CVSS 6.8 - MEDIUM
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL

Summary

Integer underflow in the Huffman decoding functionality (pvmp3_huffman_parsing.cpp) in OpenCORE 2.0 and earlier allows remote attackers to cause a denial of service (process crash) and possibly execute arbitrary code via a crafted MP3 file that triggers heap corruption.

Vulnerable Configurations

Part Description Count
Application
Android
1

Common Weakness Enumeration (CWE)

Seebug

bulletinFamilyexploit
descriptionBUGTRAQ ID: 33673 CVE(CAN) ID: CVE-2009-0475 OpenCORE是开放源码的多媒体解码子系统。 OpenCORE的pvmp3_huffman_parsing.cpp文件在Huffman解码期间存在整数下溢,导致在写入到堆分配缓冲区时出现错误的边界检查。如果用户受骗打开了恶意的mp3文件,就可以触发这个溢出,导致播放器崩溃或执行任意代码。 Android Open Source Project OpenCORE &lt;= 2.0 厂商补丁: Android Open Source Project --------------------------- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: <a href=http://review.source.android.com/Gerrit#change target=_blank rel=external nofollow>http://review.source.android.com/Gerrit#change</a>,8815
idSSV:4740
last seen2017-11-19
modified2009-02-11
published2009-02-11
reporterRoot
titleOpenCORE pvmp3_huffman_parsing.cpp MP3文件解析整数下溢漏洞