Improper handling of aif(c) files leads to a memory access violation in the mediaserverd daemon. The bug occurred due to improper parsing of the FLLR chunks in aifc files. FLLR chunks are typically used to align other chunks to 4 byte boundaries(to improve parsing efficiency). If a padding of length 5 is required, FLLR followed by a null byte(0x00) is used for alignment. However, modifying the 0x00 byte causes this crash upon parsing. Upon inspection, exploitability was unconfirmed. Most of the tests were performed on an iPod with iOS 4.2.3 and an iPhone with 5.0.1.
|12th May||Reported to the Apple Security Team, with PoC. Exploitability unconfirmed.|
|15th May||ACK from Apple Security Team.|
|17th May||Request for update.|
|19th May||Update from Apple, confirming crash on 5.1.1 also.|
|19th June||Update from Apple, reclassifying the issue as non-security(out-of-bound-read), with low exploitability likelihood.|