GHSL-2024-249: Null pointer dereference in gst_matroska_demux_parse_blockgroup_or_simpleblock in GStreamer - CVE-2024-47601

Coordinated Disclosure Timeline

• 2024-09-30: Issue reported at https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3865
• 2024-09-30: Issue acknowledged
• 2024-12-03: Fixed and disclosed

Project

Gstreamer

Tested Version

• Development version (2024/09/25)

Details

Null pointer dereference in gst_matroska_demux_parse_blockgroup_or_simpleblock (GHSL-2024-249)

A null pointer dereference vulnerability has been discovered in the gst_matroska_demux_parse_blockgroup_or_simpleblock function within matroska-demux.c.

This function does not properly check the validity of the GstBuffer *sub pointer before performing dereferences. As a result, null pointer dereferences may occur.

The following code snippet shows an example of a null pointer dereference through GST_BUFFER_PTS_IS_VALID:

static GstFlowReturn gst_matroska_demux_parse_blockgroup_or_simpleblock (GstMatroskaDemux * demux, GstEbmlRead * ebml, guint64 cluster_time, guint64 cluster_offset, gboolean is_simpleblock){
...
      if (GST_BUFFER_PTS_IS_VALID (sub)) {
        stream->pos = GST_BUFFER_PTS (sub);
        if (GST_BUFFER_DURATION_IS_VALID (sub))
          stream->pos += GST_BUFFER_DURATION (sub);
      } else if (GST_BUFFER_DTS_IS_VALID (sub)) {
        stream->pos = GST_BUFFER_DTS (sub);
        if (GST_BUFFER_DURATION_IS_VALID (sub))
          stream->pos += GST_BUFFER_DURATION (sub);
      }

Impact

This vulnerability can result in a Denial of Service (DoS) by triggering a segmentation fault (SEGV).

CVE

• CVE-2024-47601

Credit

This issue was discovered and reported by GHSL team member @antonio-morales (Antonio Morales).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2024-249 in any communication regarding this issue.