CVE-2024-47613

GHSL-2024-118: GStreamer has a null pointer dereference in gst_gdk_pixbuf_dec_flush

Severity Score

8.6

*CVSS v4

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track*

*SSVC

Descriptions

GStreamer is a library for constructing graphs of media-handling components. A stack-buffer overflow has been detected in the vorbis_handle_identification_packet function within gstvorbisdec.c. The position array is a stack-allocated buffer of size 64. If vd->vi.channels exceeds 64, the for loop will write beyond the boundaries of the position array. The value written will always be GST_AUDIO_CHANNEL_POSITION_NONE. This vulnerability allows to overwrite the EIP address allocated in the stack. Additionally, this bug can overwrite the GstAudioInfo info structure. This vulnerability is fixed in 1.24.10.

GStreamer is a library for constructing graphs of media-handling components. A null pointer dereference vulnerability has been identified in `gst_gdk_pixbuf_dec_flush` within `gstgdkpixbufdec.c`. This function invokes `memcpy`, using `out_pix` as the destination address. `out_pix` is expected to point to the frame 0 from the frame structure, which is read from the input file. However, in certain situations, it can points to a NULL frame, causing the subsequent call to `memcpy` to attempt writing to the null address (0x00), leading to a null pointer dereference. This vulnerability can result in a Denial of Service (DoS) by triggering a segmentation fault (SEGV). This vulnerability is fixed in 1.24.10.

A flaw was found in the gdk-pixbuf decoder in the GStreamer library. Processing a specially crafted input file can cause a NULL pointer dereference due to an unchecked return value, resulting in an application crash and a denial of service.

This update for gstreamer-plugins-good fixes the following issues. Fixed an uninitialized stack memory in Matroska/WebM demuxer. Fixed an out-of-bounds write in isomp4/qtdemux.c. Fixed an out-of-bounds write in convert_to_s334_1a. Fixed an out-of-bounds write in qtdemux_parse_container. Fixed a NULL-pointer dereferences in MP4/MOV demuxer CENC handling. Fixed an integer underflow in FOURCC_strf parsing leading to out-of-bounds read. Fixed an integer underflow in extract_cc_from_data leading to out-of-bounds read. Fixed an integer underflow in MP4/MOV demuxer that can lead to out-of-bounds reads. Fixed an out-of-bounds reads in MP4/MOV demuxer sample table parser. Fixed MP4/MOV sample table parser out-of-bounds read. Fixed insufficient error handling in JPEG decoder that can lead to NULL-pointer dereferences. Fixed a NULL-pointer dereference in Matroska/WebM demuxer. Fixed a NULL-pointer dereferences and out-of-bounds reads in Matroska/WebM demuxer. Fixed a NULL-pointer dereference in Matroska/WebM demuxer. Avoid integer overflow when allocating sysmem. Fixed an integer overflows in MP4/MOV demuxer and memory allocator that can lead to out-of-bounds writes. Fixed a NULL-pointer dereference in gdk-pixbuf decoder. Fixed an integer overflow in AVI subtitle parser that leads to out-of-bounds reads. Fixed various out-of-bounds reads in WAV parser. Fixed various out-of-bounds reads in WAV parser. Fixed various out-of-bounds reads in WAV parser. Fixed various out-of-bounds reads in WAV parser. Fixed a use-after-free in the Matroska demuxer that can cause crashes for certain input files.

*Credits: N/A

CVSS Scores

Attack Vector

Local

Attack Complexity

Low

Attack Requirements

None

Privileges Required

None

User Interaction

None

System

Vulnerable | Subsequent

Confidentiality

High

None

Integrity

High

None

Availability

High

None

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Complete

Integrity

Complete

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:Track*

Exploitation

Poc

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-09-27 CVE Reserved
2024-12-11 CVE Published
2024-12-19 CVE Updated
2025-07-07 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-476: NULL Pointer Dereference

CAPEC

References (5)

URL	Tag	Source
https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8041.patch	X_refsource_misc
https://gstreamer.freedesktop.org/security/sa-2024-0025.html	X_refsource_misc
https://securitylab.github.com/advisories/GHSL-2024-115_GHSL-2024-118_Gstreamer	X_refsource_confirm

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2024-47613	2024-12-18
https://bugzilla.redhat.com/show_bug.cgi?id=2331753	2024-12-18

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Gstreamer Search vendor "Gstreamer"		Gstreamer Search vendor "Gstreamer" for product "Gstreamer"				< 1.24.10 Search vendor "Gstreamer" for product "Gstreamer" and version " < 1.24.10"		en		Affected