> Samsung added a custom JPEG parser in Little Kernel that is used to show logos and error messages while booting. The code responsible for loading the JPEG file will place it in a fixed-size structure on the heap. But it never checks the size of the file, causing a heap overflow.
Heh, file format parsers - the GIFt that just keeps on giving
> Samsung added a custom JPEG parser in Little Kernel that is used to show logos and error messages while booting. The code responsible for loading the JPEG file will place it in a fixed-size structure on the heap. But it never checks the size of the file, causing a heap overflow.
Heh, file format parsers - the GIFt that just keeps on giving
And it's not even the first time Samsung does this:
https://googleprojectzero.blogspot.com/2020/07/mms-exploit-p...
Are Samsungs "contributions" to LK public? Has nobody reviewed those until now?
The early bootchain components are critical to the security of the device. I am extremly surprised Samsung let a complete noob add code to it.
So I guess this is where widevine keys and whatnot are stored? Perhaps this is how the piracy scene gets 4k rips.
Relevant: https://news.ycombinator.com/item?id=38923033 (Picking the Widevine Locks: Acquiring and Using an L3 CDM; Jan, 2024; 71 comments)
L3 is the weaker security, not using the keys found in secure storage and limited to 720p (on most streaming platforms).
Yeah, a ton of L1 keys/CDM comes from Android devices where their secure storage isn't as secure as planned. For example: Heres a link to a L1 CDM from a ASUS PadFone - https://github.com/widevineleak/ASUS_T00N_E3B35AC8_5492_L1