Integer Underflow Vulnerability in GStreamer Library by Freedesktop
CVE-2024-47546

6.9MEDIUM

Key Information:

Vendor

Gstreamer

Status
Gstreamer
Vendor
CVE Published:
12 December 2024

What is CVE-2024-47546?

An integer underflow has been identified in the GStreamer library, specifically within the extract_cc_from_data function located in qtdemux.c. This vulnerability occurs in the FOURCC_c708 case, where subtracting 8 from the atom_length may result in an underflow scenario if atom_length is less than 8. As a consequence of this underflow, the value of *cclen can become a large number, leading to potential out-of-bounds (OOB) read when cclen is subsequently passed to g_memdup2. Users are advised to upgrade to GStreamer version 1.24.10 or later to mitigate this issue.

Affected Version(s)

gstreamer < 1.24.10

References

https://securitylab.github.com/advisories/GHSL-2024-243_G...
x_refsource_CONFIRM
https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merg...
x_refsource_MISC
https://gstreamer.freedesktop.org/security/sa-2024-0013.html
x_refsource_MISC

CVSS V4

Score:
6.9
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

JSON
.