GHSL-2024-251: Null pointer dereference in gst_matroska_demux_update_tracks in GStreamer - CVE-2024-47603

Coordinated Disclosure Timeline

• 2024-09-30: Issue reported at https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3867
• 2024-09-30: Issue acknowledged
• 2024-12-03: Fixed and disclosed

Project

Gstreamer

Tested Version

• Development version (2024/09/25)

Details

Null pointer dereference in gst_matroska_demux_update_tracks (GHSL-2024-251)

A null pointer dereference vulnerability has been discovered in the gst_matroska_demux_update_tracks function within matroska-demux.c.

The vulnerability occurs when the gst_caps_is_equal function is called with invalid caps values:

static GstFlowReturn gst_matroska_demux_update_tracks (GstMatroskaDemux * demux, GstEbmlRead * ebml){
...
if (!gst_caps_is_equal (old_track->caps, new_track->caps)) {
...

If this happen, then in the function gst_buffer_get_size the call to GST_BUFFER_MEM_PTR can return a null pointer.

Attempting to dereference the size field of this null pointer results in a null pointer dereference:

gsize gst_buffer_get_size (GstBuffer * buffer){
  ...
  len = GST_BUFFER_MEM_LEN (buffer);
  for (i = 0, size = 0; i < len; i++)
    size += GST_BUFFER_MEM_PTR (buffer, i)->size;
  return size;
}

Impact

This vulnerability can result in a Denial of Service (DoS) by triggering a segmentation fault (SEGV).

CVE

• CVE-2024-47603

Credit

This issue was discovered and reported by GHSL team member @antonio-morales (Antonio Morales).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2024-251 in any communication regarding this issue.