GHSL-2024-195: OOB-write in convert_to_s334_1a in GStreamer - CVE-2024-47539

Coordinated Disclosure Timeline

• 2024-09-25: Issue reported at https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3841
• 2024-09-26: Issue acknowledged
• 2024-12-03: Fixed and disclosed

Project

Gstreamer

Tested Version

Development version (2024/09/25)

Details

OOB-write in convert_to_s334_1a (GHSL-2024-195)

An out-of-bounds write vulnerability was identified in the convert_to_s334_1a function in isomp4/qtdemux.c.

The vulnerability arises due to a discrepancy between the size of memory allocated to the storage array and the loop condition i * 2 < ccpair_size.

Specifically, when ccpair_size is even, the allocated size in storage does not match the loop’s expected bounds, resulting in an out-of-bounds write.

static guint8 *convert_to_s334_1a (const guint8 * ccpair, guint8 ccpair_size, guint field, gsize * res){

...

  *res = ccpair_size / 2 * 3;
  storage = g_malloc (*res);

  for (i = 0; i * 2 < ccpair_size; i += 1) {
    if (field == 1)
      storage[i * 3] = 0x80 | 0x00;
    else
      storage[i * 3] = 0x00 | 0x00;
    storage[i * 3 + 1] = ccpair[i * 2];
    storage[i * 3 + 2] = ccpair[i * 2 + 1];
  }
...
}

This bug allows for the overwriting of up to 3 bytes beyond the allocated bounds of the storage array.

Impact

This vulnerability lets attackers overwrite the metadata of certain malloc chunks, leading to various memory errors such as:

• double free or corruption
• malloc(): corrupted top size

CVE

• CVE-2024-47539

Credit

This issue was discovered and reported by GHSL team member @antonio-morales (Antonio Morales).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2024-195 in any communication regarding this issue.