GHSL-2024-261: OOB-read in parse_ds64 in GStreamer - CVE-2024-47775

Coordinated Disclosure Timeline

• 2024-10-03: Issue reported at https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3889
• 2024-10-04: Issue acknowledged
• 2024-12-03: Fixed and disclosed

Project

Gstreamer

Tested Version

• Development version (2024/09/25)

Details

OOB-read in parse_ds64 (GHSL-2024-261)

An OOB-read vulnerability has been found in the parse_ds64 function within gstwavparse.c.

The parse_ds64 function does not check that the buffer buf contains sufficient data before attempting to read from it, doing multiple GST_READ_UINT32_LE operations without performing boundary checks:

static gboolean parse_ds64 (GstWavParse * wav, GstBuffer * buf){
...
  gst_buffer_map (buf, &map, GST_MAP_READ);
  dataSizeLow = GST_READ_UINT32_LE (map.data + 2 * 4);
  dataSizeHigh = GST_READ_UINT32_LE (map.data + 3 * 4);
  sampleCountLow = GST_READ_UINT32_LE (map.data + 4 * 4);
  sampleCountHigh = GST_READ_UINT32_LE (map.data + 5 * 4);
  gst_buffer_unmap (buf, &map);
...
}

This can lead to an OOB-read when buf is smaller than expected:

Impact

This vulnerability allows reading beyond the bounds of the data buffer, potentially leading to a crash (denial of service) or the leak of sensitive data.

Ensure the buffer contains the expected amount of data before performing read operations.

CVE

• CVE-2024-47775

Credit

This issue was discovered and reported by GHSL team member @antonio-morales (Antonio Morales).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2024-261 in any communication regarding this issue.