Coordinated Disclosure Timeline
- 2024-10-03: Issue reported at https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3888
- 2024-10-04: Issue acknowledged
- 2024-12-03: Fixed and disclosed
Project
Gstreamer
Tested Version
- Development version (2024/09/25)
Details
OOB-read in gst_wavparse_cue_chunk (GHSL-2024-260)
An OOB-read has been discovered in gst_wavparse_cue_chunk within gstwavparse.c.
The vulnerability happens due to a discrepancy between the size of the data buffer and the size value provided to the function. This mismatch causes the comparison ` if (size < 4 + ncues * 24) to fail in some cases, allowing the subsequent loop to access beyond the bounds of the data` buffer:
static gboolean gst_wavparse_cue_chunk (GstWavParse * wav, const guint8 * data, guint32 size){
...
ncues = GST_READ_UINT32_LE (data);
if (size < 4 + ncues * 24) {
GST_WARNING_OBJECT (wav, "broken file %d %d", size, ncues);
return FALSE;
}
data += 4;
for (i = 0; i < ncues; i++) {
cue = g_new0 (GstWavParseCue, 1);
cue->id = GST_READ_UINT32_LE (data);
cue->position = GST_READ_UINT32_LE (data + 4);
...
data += 24;
}
....
}
The root cause of this discrepancy stems from a miscalculation when clipping the chunk size based on upstream data size:
/* Clip to upstream size if known */
if (upstream_size > 0 && size + wav->offset > upstream_size) {
GST_WARNING_OBJECT (wav, "Clipping chunk size to file size");
g_assert (upstream_size >= wav->offset);
size = upstream_size - wav->offset;
}
Impact
This vulnerability allows reading beyond the bounds of the data buffer, potentially leading to a crash (denial of service) or the leak of sensitive data.
CVE
- CVE-2024-47776
Credit
This issue was discovered and reported by GHSL team member @antonio-morales (Antonio Morales).
Contact
You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2024-260 in any communication regarding this issue.