GHSL-2024-094: OOB-write in Gstreamer - CVE-2024-47537

Coordinated Disclosure Timeline

• 2024-09-25: Issue reported at https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3839
• 2024-09-25: Issue acknowledged
• 2024-12-03: Fixed and disclosed

Project

Gstreamer

Tested Version

Development version (2024/09/25)

Details

OOB-write in isomp4/qtdemux.c (GHSL-2024-094)

In the following code snippet, the program attempts to reallocate the memory pointed to by stream->samples to accommodate stream->n_samples + samples_count elements of type QtDemuxSample:

stream->samples = g_try_renew (QtDemuxSample, stream->samples,
        stream->n_samples + samples_count);

The problem is that samples_count is read from the input file. And if this value is big enough, this can lead to an integer overflow during the addition.

As a consequence, g_try_renew might allocate memory for a significantly smaller number of elements than intended.

Following this, the program iterates through samples_count elements in the following loop:

sample = stream->samples + stream->n_samples
for (i = 0; i < samples_count; i++) {
...
    sample->offset = *running_offset;
    sample->pts_offset = ct;
    sample->size = size;
    sample->timestamp = timestamp;
    sample->duration = dur;
...
}

This loop attempts to write samples_count number of elements, potentially exceeding the actual allocated memory size and causing an OOB-write.

Impact

This vulnerability overwrites the entire process memory, leading to a segmentation fault (SEGV). This includes the metadata of malloc chunks, leading to various errors such as:

• free(): corrupted unsorted chunks
• munmap_chunk(): invalid pointer

CVE

• CVE-2024-47537

Credit

This issue was discovered and reported by GHSL team member @antonio-morales (Antonio Morales).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2024-094 in any communication regarding this issue.