CVE-2024-47606

GHSL-2024-166: GStreamer Integer overflows in MP4/MOV demuxer and memory allocator that can lead to out-of-bounds writes

Severity Score

8.6

*CVSS v4

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track*

*SSVC

Descriptions

GStreamer is a library for constructing graphs of media-handling components. An integer underflow has been detected in the function qtdemux_parse_theora_extension within qtdemux.c. The vulnerability occurs due to an underflow of the gint size variable, which causes size to hold a large unintended value when cast to an unsigned integer. This 32-bit negative value is then cast to a 64-bit unsigned integer (0xfffffffffffffffa) in a subsequent call to gst_buffer_new_and_alloc. The function gst_buffer_new_allocate then attempts to allocate memory, eventually calling _sysmem_new_block. The function _sysmem_new_block adds alignment and header size to the (unsigned) size, causing the overflow of the 'slice_size' variable. As a result, only 0x89 bytes are allocated, despite the large input size. When the following memcpy call occurs in gst_buffer_fill, the data from the input file will overwrite the content of the GstMapInfo info structure. Finally, during the call to gst_memory_unmap, the overwritten memory may cause a function pointer hijack, as the mem->allocator->mem_unmap_full function is called with a corrupted pointer. This function pointer overwrite could allow an attacker to alter the execution flow of the program, leading to arbitrary code execution. This vulnerability is fixed in 1.24.10.

A flaw was found in the MP4/MOV demuxer and memory allocator in the GStreamer library. Processing a specially crafted input file can cause an integer overflow in the qtdemux_parse_theora_extension function. This issue leads to a small amount of memory being allocated to store a large input size, resulting in an out-of-bounds write.

This update for gstreamer-plugins-good fixes the following issues. Fixed an uninitialized stack memory in Matroska/WebM demuxer. Fixed an out-of-bounds write in isomp4/qtdemux.c. Fixed an out-of-bounds write in convert_to_s334_1a. Fixed an out-of-bounds write in qtdemux_parse_container. Fixed a NULL-pointer dereferences in MP4/MOV demuxer CENC handling. Fixed an integer underflow in FOURCC_strf parsing leading to out-of-bounds read. Fixed an integer underflow in extract_cc_from_data leading to out-of-bounds read. Fixed an integer underflow in MP4/MOV demuxer that can lead to out-of-bounds reads. Fixed an out-of-bounds reads in MP4/MOV demuxer sample table parser. Fixed MP4/MOV sample table parser out-of-bounds read. Fixed insufficient error handling in JPEG decoder that can lead to NULL-pointer dereferences. Fixed a NULL-pointer dereference in Matroska/WebM demuxer. Fixed a NULL-pointer dereferences and out-of-bounds reads in Matroska/WebM demuxer. Fixed a NULL-pointer dereference in Matroska/WebM demuxer. Avoid integer overflow when allocating sysmem. Fixed an integer overflows in MP4/MOV demuxer and memory allocator that can lead to out-of-bounds writes. Fixed a NULL-pointer dereference in gdk-pixbuf decoder. Fixed an integer overflow in AVI subtitle parser that leads to out-of-bounds reads. Fixed various out-of-bounds reads in WAV parser. Fixed various out-of-bounds reads in WAV parser. Fixed various out-of-bounds reads in WAV parser. Fixed various out-of-bounds reads in WAV parser. Fixed a use-after-free in the Matroska demuxer that can cause crashes for certain input files.

*Credits: N/A

CVSS Scores

Attack Vector

Local

Attack Complexity

Low

Attack Requirements

None

Privileges Required

None

User Interaction

None

System

Vulnerable | Subsequent

Confidentiality

High

None

Integrity

High

None

Availability

High

None

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:Track*

Exploitation

None

Automatable

Tech. Impact

Total

* Organization's Worst-case Scenario

Timeline

2024-09-27 CVE Reserved
2024-12-11 CVE Published
2025-07-18 EPSS Updated
2025-07-24 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-190: Integer Overflow or Wraparound

CAPEC

References (5)

URL	Tag	Source
https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8032.patch	X_refsource_misc
https://gstreamer.freedesktop.org/security/sa-2024-0014.html	X_refsource_misc
https://securitylab.github.com/advisories/GHSL-2024-166_Gstreamer	X_refsource_confirm

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2024-47606	2024-12-18
https://bugzilla.redhat.com/show_bug.cgi?id=2331760	2024-12-18

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Gstreamer Search vendor "Gstreamer"		Gstreamer Search vendor "Gstreamer" for product "Gstreamer"				< 1.24.10 Search vendor "Gstreamer" for product "Gstreamer" and version " < 1.24.10"		en		Affected