GHSL-2024-259: OOB-read in gst_wavparse_smpl_chunk in GStreamer - CVE-2024-47777

Coordinated Disclosure Timeline

• 2024-10-03: Issue reported at https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3887
• 2024-10-04: Issue acknowledged
• 2024-12-03: Fixed and reported

Project

Gstreamer

Tested Version

• Development version (2024/09/25)

Details

OOB-read in gst_wavparse_smpl_chunk (GHSL-2024-259)

An OOB-read vulnerability has been identified in the gst_wavparse_smpl_chunk function within gstwavparse.c.

This function attempts to read 4 bytes from the data + 12 offset without checking if the size of the data buffer is sufficient. If the buffer is too small, the function reads beyond its bounds:

static gboolean gst_wavparse_smpl_chunk (GstWavParse * wav, const guint8 * data, guint32 size){
...
  note_number = GST_READ_UINT32_LE (data + 12);
...
}

As a result, an OOB-read can happen.

Impact

This vulnerability may result in reading 4 bytes out of the boundaries of the data buffer.

CVE

• CVE-2024-47777

Credit

This issue was discovered and reported by GHSL team member @antonio-morales (Antonio Morales).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2024-259 in any communication regarding this issue.