GHSL-2024-248: OOB-read in format_channel_mask in GStreamer - CVE-2024-47600

Coordinated Disclosure Timeline

• 2024-09-30: Issue reported at https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3864
• 2024-09-30: Issue acknowledged
• 2024-12-03: Fixed and disclosed

Project

Gstreamer

Tested Version

• Development version (2024/09/25)

Details

OOB-read in format_channel_mask (GHSL-2024-248)

An OOB-read vulnerability has been detected in the format_channel_mask function in gst-discoverer.c.

The vulnerability affects the local array position, which is defined with a fixed size of 64 elements. However, the function gst_discoverer_audio_info_get_channels may return a guint channels value greater than 64.

This causes the for loop to attempt access beyond the bounds of the position array, resulting in an OOB-read when an index greater than 63 is used:

static gchar * format_channel_mask (GstDiscovererAudioInfo * ainfo){
...
  GstAudioChannelPosition position[64];
  guint channels = gst_discoverer_audio_info_get_channels (ainfo);
  ...
    for (i = 0; i < channels; i++) {
      GEnumValue *value = g_enum_get_value (enum_class, position[i]);
      my_g_string_append_printf (s, 0, "%s%s", value->value_nick,
          i + 1 == channels ? "" : ", ");
    }

Impact

This vulnerability can result in reading unintended bytes from the stack.

Additionally, the dereference of value->value_nick after the OOB-read can lead to further memory corruption or undefined behavior.

CVE

• CVE-2024-47600

Credit

This issue was discovered and reported by GHSL team member @antonio-morales (Antonio Morales).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2024-248 in any communication regarding this issue.