CVE-2024-47537

GHSL-2024-094: GStreamer has an OOB-write in isomp4/qtdemux.c

Published: 12/11/2024 Last updated: 12/11/2024 Reserved: 9/25/2024

GStreamer is a library for constructing graphs of media-handling components. The program attempts to reallocate the memory pointed to by stream->samples to accommodate stream->n_samples + samples_count elements of type QtDemuxSample. The problem is that samples_count is read from the input file. And if this value is big enough, this can lead to an integer overflow during the addition. As a consequence, g_try_renew might allocate memory for a significantly smaller number of elements than intended. Following this, the program iterates through samples_count elements and attempts to write samples_count number of elements, potentially exceeding the actual allocated memory size and causing an OOB-write. This vulnerability is fixed in 1.24.10.

CNA assigner: GitHub_M (a0819718-46f1-4df5-94e2-005712e83aaa) Requested by: n/a

Metrics

Version	Score	Severity	Vector String
4.0	8.6	High	CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Opam packages affected (2)

conf-gstreamer gstreamer

Products affected (1)

Product	Vendor	Version
gstreamer	gstreamer	< publication

CVE-2024-47537

GHSL-2024-094: GStreamer has an OOB-write in isomp4/qtdemux.c

Metrics

Opam packages affected (2)

Products affected (1)

References (3)