GHSL-2024-238: Null pointer dereference in qtdemux_parse_sbgp in GStreamer - CVE-2024-47544

Coordinated Disclosure Timeline

• 2024-09-26: Issue reported at https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3846
• 2024-09-27: Issue acknowledged
• 2024-12-03: Fixed and disclosed

Project

Gstreamer

Tested Version

• Development version (2024/09/25)

Details

Null pointer dereference in qtdemux_parse_sbgp (GHSL-2024-238)

The function qtdemux_parse_sbgp in qtdemux.c is affected by a null dereference vulnerability.

When the pointer tack_properties_array is NULL, dereferencing it will result in a null pointer dereference.

Crash 1:

static gboolean qtdemux_parse_sbgp(..., GPtrArray * tack_properties_array, ...){
...
      if (index < tack_properties_array->len)
        properties = g_ptr_array_index (tack_properties_array, index);
      else
        GST_ERROR_OBJECT (qtdemux, "invalid group index %u", index);
...
}

Another null dereference happens in the following code.

Crash 2:

    if (info->track_group_properties) {
      g_ptr_array_free (info->fragment_group_properties, TRUE);
      info->fragment_group_properties = NULL;
    }

Impact

This vulnerability can result in a Denial of Service (DoS) by triggering a segmentation fault (SEGV).

CVE

• CVE-2024-47544

Credit

This issue was discovered and reported by GHSL team member @antonio-morales (Antonio Morales).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2024-238 in any communication regarding this issue.