Coordinated Disclosure Timeline
- 2024-10-03: Issue reported at https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3886
- 2024-10-04: Issue acknowledged
- 2024-12-03: Fixed and disclosed
Project
Gstreamer
Tested Version
- Development version (2024/09/25)
Details
OOB-read in gst_wavparse_adtl_chunk (GHSL-2024-258)
An OOB-read vulnerability has been discovered in gst_wavparse_adtl_chunk within gstwavparse.c.
This vulnerability arises due to insufficient validation of the size parameter, which can exceed the bounds of the data buffer. As a result, an OOB read occurs in the following while loop:
static gboolean gst_wavparse_adtl_chunk (GstWavParse * wav, const guint8 * data, guint32 size){
guint32 ltag, lsize, offset = 0;
...
while (size >= 8) {
ltag = GST_READ_UINT32_LE (data + offset);
lsize = GST_READ_UINT32_LE (data + offset + 4);
...
switch (ltag) {
case GST_RIFF_TAG_labl:
gst_wavparse_labl_chunk (wav, data + offset + 8, lsize);
break;
case GST_RIFF_TAG_note:
gst_wavparse_note_chunk (wav, data + offset + 8, lsize);
break;
...
}
offset += 8 + GST_ROUND_UP_2 (lsize);
size -= 8 + GST_ROUND_UP_2 (lsize);
There are 2 root causes for this bug:
- Integer underflow in the case GST_RIFF_LIST_adtl (GHSL-2024-258_crash1.wav):
case GST_RIFF_LIST_adtl:{ const gint data_size = size - 4; //<= Subtraction could result in an integer underflow sizeis read from the input file without a proper validation (GHSL-2024-258_asan1.wav):size = GST_READ_UINT32_LE (map.data + 4);
Impact
This vulnerability can result in reading up to 4GB of process memory or potentially causing a segmentation fault (SEGV) when accessing invalid memory.
CVE
- CVE-2024-47778
Credit
This issue was discovered and reported by GHSL team member @antonio-morales (Antonio Morales).
Contact
You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2024-258 in any communication regarding this issue.