GHSL-2024-245: OOB-read in qtdemux_parse_samples in GStreamer - CVE-2024-47597

Coordinated Disclosure Timeline

• 2024-09-26: Issue reported at https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3847
• 2024-09-27: Issue acknowledged
• 2024-12-03: Fixed and disclosed

Project

Gstreamer

Tested Version

• Development version (2024/09/25)

Details

OOB-read in qtdemux_parse_samples (GHSL-2024-245)

An OOB-read has been detected in the function qtdemux_parse_samples within qtdemux.c.

This issue arises when the function qtdemux_parse_samples reads data beyond the boundaries of the stream->stco buffer.

The following code snippet shows the call to qt_atom_parser_get_offset_unchecked, which leads to the OOB-read when parsing the provided GHSL-2024-245_crash1.mp4 file:

static gboolean qtdemux_parse_samples (GstQTDemux * qtdemux, QtDemuxStream * stream, guint32 n){
...
        cur->offset =
            qt_atom_parser_get_offset_unchecked (&stream->co_chunk,
            stream->co_size);

Impact

This issue may lead to read up to 8 bytes out-of-bounds.

CVE

• CVE-2024-47597

Credit

This issue was discovered and reported by GHSL team member @antonio-morales (Antonio Morales).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2024-245 in any communication regarding this issue.