An OOM was found in SkBmpRLECodec constructor of SkBmpRLECodec.cpp, allows attackers to cause a denial of service via a craft bmp file with a very large RLE size field which is more bigger than the real size of the file.
SkCodecPrintf("Error: invalid starting location for pixel data\n");
While proceeding a bmp file, the SkBmpCodec::ReadHeader function use totalBytes value and offset value from the file on line 121-122 without a vaild checking. It means that attackers can fully control the two value. In this post, 0xffffffff are passed to totalBytes and 0x0 are passed to offset.
The (totalBytes - offset) calculation is 0xffffffff(0xffffffff - 0x0), so the value of RLEBytes is a very large number, 0xffffffff. Then the RLEBytes value is passed to SkBmpRLECodec constructor on line 521.
This vulnerability was credited to Zinuo Han from Chengdu Security Response Center of Qihoo 360 Technology Co. Ltd.
2016-11-29: ele7enxxh reported the vulnerability to Google; 2017-01-12: Google rated it as a High vulnerability; 2017-03-01: Google assigned CVE-2017-0548 for this vulnerability; 2017-04-03: Google released the patch and disclosed the details of CVE-2017-0548 on Android Security Bulletin-April 2017.