GHSL-2024-262: OOB-read in gst_avi_subtitle_parse_gab2_chunk in GStreamer - CVE-2024-47774

Coordinated Disclosure Timeline

• 2024-10-03: Issue reported at https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3890
• 2024-10-04: Issue acknowledged
• 2024-12-03: Fixed and disclosed

Project

Gstreamer

Tested Version

• Development version (2024/09/25)

Details

OOB-read in gst_avi_subtitle_parse_gab2_chunk (GHSL-2024-262)

An OOB-read vulnerability has been identified in the gst_avi_subtitle_parse_gab2_chunk function within gstavisubtitle.c

The function reads the name_length value directly from the input file without checking it properly:

  name_length = GST_READ_UINT32_LE (map.data + 5 + 2);

Then, the following condition, does not properly handle cases where name_length is greater than 0xFFFFFFFF - 17, causing an integer overflow:

  if (map.size <= 17 + name_length)
    goto wrong_name_length;

In such scenario, the function attempts to access memory beyond the buffer with

  GST_READ_UINT16_LE(map.data + 11 + name_length)

leading to an OOB-read.

Impact

This vulnerability results in an out-of-bounds read, which may lead to application crashes or an information leak.

CVE

• CVE-2024-47774

Credit

This issue was discovered and reported by GHSL team member @antonio-morales (Antonio Morales).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2024-262 in any communication regarding this issue.