GHSL-2024-236: OOB-read in qtdemux_parse_container in GStreamer - CVE-2024-47543

Coordinated Disclosure Timeline

• 2024-09-26: Issue reported at https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3843
• 2024-09-26: Issue acknowledged
• 2024-12-03: Fixed and disclosed

Project

Gstreamer

Tested Version

• Development version (2024/09/25)

Details

OOB-read in qtdemux_parse_container (GHSL-2024-236)

An OOB-read vulnerability has been discovered in qtdemux_parse_container function within qtdemux.c.

In the parent function qtdemux_parse_node, the value of length is not well checked. So, if length is big enough, it causes the pointer end to point beyond the boundaries of buffer.

static gboolean qtdemux_parse_node (GstQTDemux * qtdemux, GNode * node, const guint8 * buffer, guint length){
....
  end = buffer + length;
...
  if (node_length > length)
    goto broken_atom_size;

Subsequently, in the qtdemux_parse_container function, the while loop can trigger an OOB-read, accessing memory beyond the bounds of buf:

qtdemux_parse_container (GstQTDemux * qtdemux, GNode * node, const guint8 * buf, const guint8 * end){
...
  while (G_UNLIKELY (buf < end)) {
    GNode *child;
    guint32 len;

Impact

This vulnerability can result in reading up to 4GB of process memory or potentially causing a segmentation fault (SEGV) when accessing invalid memory.

CVE

• CVE-2024-47543

Credit

This issue was discovered and reported by GHSL team member @antonio-morales (Antonio Morales).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2024-236 in any communication regarding this issue.