GHSL-2024-242: Integer underflow in FOURCC_strf parsing leading to OOB-read in GStreamer - CVE-2024-47545

Coordinated Disclosure Timeline

• 2024-09-26: Issue reported at https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3845
• 2024-09-26: Issue acknowledged
• 2024-12-03: Fixed and disclosed

Project

Gstreamer

Tested Version

• Development version (2024/09/25)

Details

Integer underflow in FOURCC_strf parsing leading to OOB-read (GHSL-2024-242)

An integer underflow has been detected in qtdemux_parse_trak function within qtdemux.c.

During the strf parsing case, the subtraction size -= 40 can lead to a negative integer overflow if it is less than 40:

static gboolean qtdemux_parse_trak (GstQTDemux * qtdemux, GNode * trak){

...

case FOURCC_strf:
                {
                  GstBuffer *buf;
                  ...
                  size -= 40;   /* we'll be skipping BITMAPINFOHEADER */
                  if (size > 1) {
                    ...
                    buf = gst_buffer_new_and_alloc (size);
                    gst_buffer_fill (buf, 0, avc_data + 8 + 40, size);
                    ...
                  }
                  break;
                }

If this happens, the subsequent call to gst_buffer_fill will invoke memcpy with a large tocopy size, resulting in an OOB-read:

gsize gst_buffer_fill (GstBuffer * buffer, gsize offset, gconstpointer src, gsize size){

...
      tocopy = MIN (info.size - offset, left);
      memcpy ((guint8 *) info.data + offset, ptr, tocopy);
...

Impact

This vulnerability can result in reading up to 4GB of process memory or potentially causing a segmentation fault (SEGV) when accessing invalid memory.

CVE

• CVE-2024-47545

Credit

This issue was discovered and reported by GHSL team member @antonio-morales (Antonio Morales).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2024-242 in any communication regarding this issue.