来源

关联漏洞

描述

CVE-2025-54957

介绍

# Dolby Unified Decoder (CVE-2025-54957) POC

> When a file is processed by Dolby's DDPlus Unified Decoder, an out of bounds write is possible when the evolution data is processed. The decoder writes evolution information into a large, heap-like contiguous buffer contained by a larger struct, and the length calculation for one write can overflow due to integer wrap. This leads to the 'allocated' buffer to be too small, and the out-of-bounds check of the subsequent write to be ineffective. This can allow later members of the struct to be overwritten, including a pointer that is written to when the next syncframe is processed.

On Android, this is a 0-click vulnerability, as Android locally decodes all incoming audio messages and audio attachments for transcription, using this decoder, without the user interacting with the device.

This code is present on MacOS, but it is not clear whether this bug is reachable due to pre-processing checks.

We will update this bug as we further investigate devices impacted by this vulnerability.

## Attached are:

dolby_android_crash.mp4 -- a containerized file that directly causes the crash in Android
dolby_android_crash.ec3 -- the bitstream causing the Android crash
dolby_evo_crash32.ec3 -- a bitstream that causes the crash on 32-bit targets (the above bitstream only crashes 64-bit targets)

The easiest way to reproduce this issue is to play dolby_android_crash.mp4 on an Android device.

To reproduce the issue as a 0-click:

1. Set up a test Android device to be able to send RCS messages to the target Android device

2. Open up RCS on the test device and create a voice message by holding the voice message icon, but do not send

3. Run:
```bash
adb -s TEST_DEVICE shell ls -l /data/user/0/com.google.android.apps.messaging/cache/mediascratchspace/
```
and note the name of the most recently written file (some files will have *.m4a extensions, this file is the one without an extension)

4. Run:

```bash
adb -s TEST_DEVICE push dolby_android_crash.mp4 /data/user/0/com.google.android.apps.messaging/cache/mediascratchspace/FILENAME
```

5. Send the audio message

6. The target device C2 process should crash.

## Test
Since filing this bug, we've investigated which devices integrate the Dolby Unified Decoder. We reproduced a crash using the files above on the following devices:

- A Pixel 9 running version 16 BP2A.250605.031.A2 (SIGSEGV crash)
- A Samsung S24 running version S921U1UES4AYB3 (SIGSEGV crash)
- A MacBook Air M1, 2020 running Tahoe 26.0.1 (-bounds-safety trap crash)
- An iPhone 17 Pro running iOS 26.0.1 (-bounds-safety trap crash)

Microsoft has published an advisory on this issue: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-54957
ChromeOS also fixed this issue in the binaries for the following release, though the bug is not mentioned in the advisory: https://chromereleases.googleblog.com/2025/09/stable-channel-update-for-chromeos_18.html 

文件快照

 [4.0K]  /data/pocs/78e5fda54005a7c443f6fdf1b9eda05b83a63fa7
├── [1.7K]  dolby_android_crash.ec3
├── [ 25K]  dolby_android_crash.mp4
├── [ 880]  dolby_evo_crash32.ec3
├── [ 18K]  LICENSE
└── [2.9K]  README.md

0 directories, 5 files

备注