Coordinated Disclosure Timeline

Project

GStreamer

Tested Version

Details

OOB-write in subparse/gstssaparse.c (GHSL-2024-228)

An OOB-write vulnerability has been identified in the gst_ssa_parse_remove_override_codes function of the gstssaparse.c file.

This function is responsible for parsing and removing SSA (SubStation Alpha) style override codes, which are enclosed in curly brackets ({}).

The vulnerability is present in the following code snippet:

static gboolean gst_ssa_parse_remove_override_codes (GstSsaParse * parse, gchar * txt) {

  gchar *t, *end;
  gboolean removed_any = FALSE;

  while ((t = strchr (txt, '{'))) {
    end = strchr (txt, '}');
    if (end == NULL) {
      GST_WARNING_OBJECT (parse, "Missing { for style override code");
      return removed_any;
    }
    /* move terminating NUL character forward as well */
    memmove (t, end + 1, strlen (end + 1) + 1);
    removed_any = TRUE;
  }

...

The issue arises when a closing curly bracket “}” appears before an opening curly bracket “{” in the input string. For example, consider the following input string:

0:02:16,00:02:19,376,S}nator, {9}{[INFORMATION]text

In this case, memmove() incorrectly duplicates the substring nator, , resulting in:

0:02:16,00:02:19,376,S}nator, nator, {9}{[INFORMATION]text

With each successive loop iteration, the size passed to memmove() becomes progressively larger (strlen(end+1)), leading to a write beyond the allocated memory bounds.

Impact

This vulnerability overwrites the entire process memory, leading to a segmentation fault (SEGV). This includes the metadata of malloc chunks, leading to various errors such as:

CVE

Credit

This issue was discovered and reported by GHSL team member @antonio-morales (Antonio Morales).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2024-228 in any communication regarding this issue.