GHSL-2024-247: Null pointer dereference in gst_jpeg_dec_negotiate in GStreamer - CVE-2024-47599

Coordinated Disclosure Timeline

• 2024-09-30: Issue reported at https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3862
• 2024-09-30: Issue acknowledged
• 2024-12-03: Fixed and disclosed

Project

Gstreamer

Tested Version

• Development version (2024/09/25)

Details

Null pointer dereference in gst_jpeg_dec_negotiate (GHSL-2024-247)

A null pointer dereference vulnerability has been discovered in the gst_jpeg_dec_negotiate function in gstjpegdec.c.

This function does not check for a NULL return value from gst_video_decoder_set_output_state.

When this happens, dereferences of the outstate pointer will lead to a null pointer dereference:

static void gst_jpeg_dec_negotiate (GstJpegDec * dec, gint width, gint height, gint clrspc, gboolean interlaced){

  GstVideoCodecState *outstate;
  ...
  outstate =
      gst_video_decoder_set_output_state (GST_VIDEO_DECODER (dec), format,
      width, height, dec->input_state);
  ...
      outstate->info.chroma_site = GST_VIDEO_CHROMA_SITE_NONE;

      outstate->info.colorimetry.range = GST_VIDEO_COLOR_RANGE_0_255;
      outstate->info.colorimetry.matrix = GST_VIDEO_COLOR_MATRIX_BT601;
      outstate->info.colorimetry.transfer = GST_VIDEO_TRANSFER_UNKNOWN;
      outstate->info.colorimetry.primaries = GST_VIDEO_COLOR_PRIMARIES_UNKNOWN;
      break;
  }

Impact

This vulnerability can result in a Denial of Service (DoS) by triggering a segmentation fault (SEGV).

CVE

• CVE-2024-47599

Credit

This issue was discovered and reported by GHSL team member @antonio-morales (Antonio Morales).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2024-247 in any communication regarding this issue.