Coordinated Disclosure Timeline

Project

Gstreamer

Tested Version

Details

Integer underflow in extract_cc_from_data leading to OOB-read (GHSL-2024-243)

An integer underflow has been detected in extract_cc_from_data function within qtdemux.c.

In the FOURCC_c708 case, the subtraction atom_length - 8 may result in an underflow if atom_length is less than 8:

    case FOURCC_c708:
      if (fourcc != FOURCC_ccdp) {
        GST_WARNING_OBJECT (stream->pad,
            "Unknown data atom (%" GST_FOURCC_FORMAT ") for CEA708",
            GST_FOURCC_ARGS (fourcc));
        goto invalid_cdat;
      }
      *cclen = atom_length - 8;
      res = g_memdup2 (data + 8, *cclen);
      break;
    default:

When that subtraction underflows, *cclen ends up being a large number, and then cclen is passed to g_memdup2 leading to an out-of-bounds (OOB) read.

Impact

This vulnerability can result in reading up to 4GB of process memory or potentially causing a segmentation fault (SEGV) when accessing invalid memory.

CVE

Credit

This issue was discovered and reported by GHSL team member @antonio-morales (Antonio Morales).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2024-243 in any communication regarding this issue.