Coordinated Disclosure Timeline
- 2024-09-26: Issue reported at https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3849
- 2024-09-26: Issue acknowledged
- 2024-12-03: Fixed and disclosed
Project
Gstreamer
Tested Version
- Development version (2024/09/25)
Details
Integer underflow in extract_cc_from_data leading to OOB-read (GHSL-2024-243
)
An integer underflow has been detected in extract_cc_from_data function within qtdemux.c
.
In the FOURCC_c708
case, the subtraction atom_length - 8
may result in an underflow if atom_length
is less than 8:
case FOURCC_c708:
if (fourcc != FOURCC_ccdp) {
GST_WARNING_OBJECT (stream->pad,
"Unknown data atom (%" GST_FOURCC_FORMAT ") for CEA708",
GST_FOURCC_ARGS (fourcc));
goto invalid_cdat;
}
*cclen = atom_length - 8;
res = g_memdup2 (data + 8, *cclen);
break;
default:
When that subtraction underflows, *cclen
ends up being a large number, and then cclen
is passed to g_memdup2
leading to an out-of-bounds (OOB) read.
Impact
This vulnerability can result in reading up to 4GB of process memory or potentially causing a segmentation fault (SEGV) when accessing invalid memory.
CVE
- CVE-2024-47546
Credit
This issue was discovered and reported by GHSL team member @antonio-morales (Antonio Morales).
Contact
You can contact the GHSL team at securitylab@github.com
, please include a reference to GHSL-2024-243
in any communication regarding this issue.