PT-2024-10372 · Gstreamer+10 · Gstreamer+10
Antonio Morales
+1
·
Published
2024-12-11
·
Updated
2026-05-08
·
CVE-2024-47596
CVSS v2.0
7.8
High
| Vector | AV:N/AC:L/Au:N/C:N/I:N/A:C |
Name of the Vulnerable Software and Affected Versions
GStreamer versions prior to 1.24.10
Description
The issue is related to an out-of-bounds (OOB) read in the
qtdemux parse svq3 stsd data function within qtdemux.c. Specifically, in the FOURCC SMI case, seqh size is read from the input file without proper validation. If seqh size is greater than the remaining size of the data buffer, it can lead to an OOB-read in the following call to gst buffer fill, which internally uses memcpy. This can result in reading up to 4GB of process memory or potentially causing a segmentation fault (SEGV) when accessing invalid memory.Recommendations
For GStreamer versions prior to 1.24.10, update to version 1.24.10 or later to resolve the issue. As a temporary workaround, consider restricting the use of the
qtdemux parse svq3 stsd data function until a patch is available. Avoid using the seqh size variable in the affected qtdemux.c file to minimize the risk of exploitation.Exploit
Fix
DoS
Out of bounds Read
Integer Overflow
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Alt Linux
Almalinux
Astra Linux
Debian
Gstreamer
Linuxmint
Red Hat
Red Os
Rocky Linux
Suse
Ubuntu