Telegram rlottie 7.0.1_2065 LOTGradient::populate Integer Overflow

Summary

Telegram rlottie 7.0.1_2065 is affected by a Integer Overflow in the LOTGradient::populate function: a remote attacker might be able to access heap memory out-of-bounds on a victim device. Note: we’ll walk through the android app sources, but the issue applies to iOS and macOS Telegram apps too.

Product description (from vendor)

“Telegram is a cloud-based mobile and desktop messaging app with a focus on security and speed.”. For more information visit https://telegram.org/.

CVE(s)

Details

Root cause analysis

Telegram uses a custom fork of rlottie to render animated stickers. The vulnerability is a signed integer overflow in LOTGradient::populate (starting at https://github.com/DrKLO/Telegram/blob/release-7.0.1_2065/TMessagesProj/jni/rlottie/src/lottie/lottiemodel.cpp#L198 ): an out-of-bounds read access is performed because the checks in place for malicious inputs are bypassable.

The integer mColorPoints comes directly from the animated sticker. Before using it to access the colorPoints in memory, the following check is performed at https://github.com/DrKLO/Telegram/blob/release-7.0.1_2065/TMessagesProj/jni/rlottie/src/lottie/lottiemodel.cpp#L204:

1
2
3
if (colorPoints < 0 || colorPoints * 4 > size) {
    colorPoints = size / 4;
}

In particular colorPoints * 4 might overflow and wraparound to INT_MIN. Shortly later it is used to calculate the pointer to the actual colorPoints in memory at https://github.com/DrKLO/Telegram/blob/release-7.0.1_2065/TMessagesProj/jni/rlottie/src/lottie/lottiemodel.cpp#L211, which could point out-of-bounds:

1
2
3
4
5
float *opacityPtr = ptr + (colorPoints * 4);
[...]
for (int i = 0; i < colorPoints; i++) {
    float       colorStop = ptr[0];
    LottieColor color = LottieColor(ptr[3], ptr[2], ptr[1], nullptr);

Proof of concept

A blogpost will be published soon on our blog with a PoC walkthrough and further details.

Impact

A remote attacker might be able to access Telegram’s heap memory out-of-bounds on a victim device.

Remediation

Upgrade to Telegram 7.1.0 (2090) or later.

Disclosure timeline

  • 30/09/2020:
    • Telegram releases version 7.1.0 (2090) with a patch

Credits

`polict` of Shielder

This advisory was first published on https://www.shielder.it/advisories/telegram-rlottie-lotgradient-populate-integer-overflow/

Date

16 February 2021