GHSL-2024-246: "OOB-read in qtdemux_merge_sample_table in GStreamer - CVE-2024-47598" - CVE-2024-47598

Coordinated Disclosure Timeline

• 2024-09-27: Issue reported at https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3854
• 2024-09-27: Issue acknowledged
• 2024-12-03: Fixed and disclosed

Project

Gstreamer

Tested Version

• Development version (2024/09/25)

Details

OOB-read in qtdemux_merge_sample_table (GHSL-2024-246)

An OOB-read vulnerability has been discovered in the qtdemux_merge_sample_table function within qtdemux.c.

The problem is that the size of the stts buffer isn’t properly checked before reading stts_duration, allowing the program to read 4 bytes beyond the boundaries of stts->data:

static void qtdemux_merge_sample_table (GstQTDemux * qtdemux, QtDemuxStream * stream){
...
  gst_byte_reader_skip_unchecked (&stream->stts, 4);
  stts_duration = gst_byte_reader_get_uint32_be_unchecked (&stream->stts);
...

Impact

This vulnerability reads up to 4 bytes past the allocated bounds of the stts array.

CVE

• CVE-2024-47598

Credit

This issue was discovered and reported by GHSL team member @antonio-morales (Antonio Morales).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2024-246 in any communication regarding this issue.