GHSL-2024-235: Null pointer dereference in id3v2_read_synch_uint in GStreamer - CVE-2024-47542

Coordinated Disclosure Timeline

• 2024-09-26: Issue reported at https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3842
• 2024-09-26: Issue acknowledged
• 2024-12-03: Fixed and disclosed

Project

Gstreamer

Tested Version

Development version (2024/09/25)

Details

Null pointer dereference in id3v2_read_synch_uint (GHSL-2024-235)

A null pointer dereference has been discovered in the id3v2_read_synch_uint function, located in id3v2.c.

If id3v2_read_synch_uint is called with a null work->hdr.frame_data, the pointer guint8 *data is accessed without validation, resulting in a null pointer dereference.

static gboolean id3v2_frames_to_tag_list (ID3TagsWorking * work, guint size){
  guint frame_hdr_size;

  /* Extended header if present */
  if (work->hdr.flags & ID3V2_HDR_FLAG_EXTHDR) {
    work->hdr.ext_hdr_size = id3v2_read_synch_uint (work->hdr.frame_data, 4);
...
}

Impact

This vulnerability can result in a Denial of Service (DoS) by triggering a segmentation fault (SEGV).

CVE

• CVE-2024-47542

Credit

This issue was discovered and reported by GHSL team member @antonio-morales (Antonio Morales).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2024-235 in any communication regarding this issue.