Coordinated Disclosure Timeline
- 2024-09-30: Issue reported at https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3863
- 2024-09-30: Issue acknowledged
- 2024-12-03: Fixed and disclosed
Project
GStreamer
Tested Version
1.25.0.1
Details
Uninitialized variable in gst_matroska_demux_add_wvpk_header leading to function pointer overwriting (GHSL-2024-197)
An uninitialized stack variable vulnerability has been identified in the gst_matroska_demux_add_wvpk_header function within matroska-demux.c.
In the following code snippet, when size < 4, the program calls gst_buffer_unmap with an uninitialized map variable:
static GstFlowReturn gst_matroska_demux_add_wvpk_header (GstElement * element, GstMatroskaTrackContext * stream, GstBuffer ** buf){
...
GstMapInfo map, outmap;
guint8 *buf_data, *data;
...
if (audiocontext->channels <= 2) {
...
gsize size = gst_buffer_get_size (*buf);
if (size < 4) {
GST_ERROR_OBJECT (element, "Too small wavpack buffer");
gst_buffer_unmap (*buf, &map);
return GST_FLOW_ERROR;
}
Then, in the gst_memory_unmap function, the program will attempt to unmap the buffer using the uninitialized map variable, causing a function pointer hijack, as it will jump to mem->allocator->mem_unmap_full or mem->allocator->mem_unmap:
void gst_memory_unmap (GstMemory * mem, GstMapInfo * info){
...
if (mem->allocator->mem_unmap_full)
mem->allocator->mem_unmap_full (mem, info);
else
mem->allocator->mem_unmap (mem);
...
}
Impact
This vulnerability could allow an attacker to hijack the execution flow, potentially leading to code execution.
CVE
- CVE-2024-47540
Credit
This issue was discovered and reported by GHSL team member @antonio-morales (Antonio Morales).
Contact
You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2024-197 in any communication regarding this issue.