GHSL-2024-244: OOB-read in FOURCC_SMI_ parsing in GStreamer - CVE-2024-47596

Coordinated Disclosure Timeline

• 2024-09-26: Issue reported at https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3853
• 2024-09-26: Issue acknowledged
• 2024-12-03: Fixed and disclosed

Project

Gstreamer

Tested Version

• Development version (2024/09/25)

Details

OOB-read in FOURCC_SMI_ parsing (GHSL-2024-244)

An OOB-read has been discovered in the qtdemux_parse_svq3_stsd_data function within qtdemux.c.

In the FOURCC_SMI_ case, seqh_size is read from the input file without proper validation:

case FOURCC_SMI_:{
            ...
                seqh_size = QT_UINT32 (data + 4);
                if (seqh_size > 0) {
                  _seqh = gst_buffer_new_and_alloc (seqh_size);
                  gst_buffer_fill (_seqh, 0, data + 8, seqh_size);
             ...
            break;
          }

If seqh_size is greater than the remaining size of the data buffer, it can lead to an OOB-read in the following call to gst_buffer_fill, which internally uses memcpy.

gsize gst_buffer_fill (GstBuffer * buffer, gsize offset, gconstpointer src, gsize size){

...
      tocopy = MIN (info.size - offset, left);
      memcpy ((guint8 *) info.data + offset, ptr, tocopy);
...

Impact

This vulnerability can result in reading up to 4GB of process memory or potentially causing a segmentation fault (SEGV) when accessing invalid memory.

CVE

• CVE-2024-47596

Credit

This issue was discovered and reported by GHSL team member @antonio-morales (Antonio Morales).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2024-244 in any communication regarding this issue.