CVE-2016-3825

Vulnerability

A heap buffer overflow exists in the video encoder component of Android's mediaserver, specifically in mm-video-v4l2/vidc/venc/src/omx_video_base.cpp. The function allocates an incorrect amount of memory for an opaque handle (nAllocLen is set to the wrong size), leading to a heap overflow. This affects Android 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-08-01. The issue is identified as internal bug 28816964 and was fixed in commit d575ecf607056d8e3328ef2eb56c52e98f81e87d to set nAllocLen to the size of the opaque handle itself. [1][2]

Exploitation

An attacker must deliver a crafted application that triggers the vulnerable code path in the mediaserver service. No additional privileges or authentication are required beyond the ability to run an application on the device. The application interacts with the video encoder via the OMX interface, causing the incorrect allocation to be used, which then overwrites adjacent heap memory. [1]

Impact

Successful exploitation allows an attacker to gain elevated privileges within the mediaserver process, leading to arbitrary code execution in that context. This could lead to local escalation of privilege, potentially enabling the attacker to access sensitive data or further compromise the device. The Android Security Bulletin for August 2016 rates this as a High severity vulnerability. [1]

Mitigation

The fix was included in the Android security bulletin for August 1, 2016, and is applied via the monthly security update. Users should ensure their devices have received the 2016-08-01 or later update. The commit d575ecf607056d8e3328ef2eb56c52e98f81e87d in the AOSP platform/hardware/qcom/media repository corrects the nAllocLen setting. Google's Project Zero's bug tracker and the Android security bulletin provide the official mitigation details. [1][2]