GHSL-2024-243: Integer underflow in extract_cc_from_data leading to OOB-read in GStreamer - CVE-2024-47546

Coordinated Disclosure Timeline

• 2024-09-26: Issue reported at https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3849
• 2024-09-26: Issue acknowledged
• 2024-12-03: Fixed and disclosed

Project

Gstreamer

Tested Version

• Development version (2024/09/25)

Details

Integer underflow in extract_cc_from_data leading to OOB-read (GHSL-2024-243)

An integer underflow has been detected in extract_cc_from_data function within qtdemux.c.

In the FOURCC_c708 case, the subtraction atom_length - 8 may result in an underflow if atom_length is less than 8:

    case FOURCC_c708:
      if (fourcc != FOURCC_ccdp) {
        GST_WARNING_OBJECT (stream->pad,
            "Unknown data atom (%" GST_FOURCC_FORMAT ") for CEA708",
            GST_FOURCC_ARGS (fourcc));
        goto invalid_cdat;
      }
      *cclen = atom_length - 8;
      res = g_memdup2 (data + 8, *cclen);
      break;
    default:

When that subtraction underflows, *cclen ends up being a large number, and then cclen is passed to g_memdup2 leading to an out-of-bounds (OOB) read.

Impact

This vulnerability can result in reading up to 4GB of process memory or potentially causing a segmentation fault (SEGV) when accessing invalid memory.

CVE

• CVE-2024-47546

Credit

This issue was discovered and reported by GHSL team member @antonio-morales (Antonio Morales).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2024-243 in any communication regarding this issue.