Skip to content
GitLab
Projects Groups Topics Snippets
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Register
  • Sign in
  • gstreamer gstreamer
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributor statistics
    • Graph
    • Compare revisions
  • Issues 1.1k
    • Issues 1.1k
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 489
    • Merge requests 489
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Container Registry
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Repository
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • GStreamerGStreamer
  • gstreamergstreamer
  • Issues
  • #1224
Closed
Open
Issue created May 17, 2022 by Adam Doupe@adamdoupe

avidemux: heap buffer overwrite in gst_avi_demux_invert/swap_line

Describe the vulnerability

heap-based buffer overflow in avidemux element, specifically in the functions gst_avi_demux_invert/swap_line.

The root cause vulnerability is that these values come from the .avi file:

  h = stream->strf.vids->height;
  w = stream->strf.vids->width;
  bpp = stream->strf.vids->bit_cnt ? stream->strf.vids->bit_cnt : 8;
  stride = GST_ROUND_UP_4 (w * (bpp / 8));

https://gitlab.freedesktop.org/gstreamer/gstreamer/-/blob/main/subprojects/gst-plugins-good/gst/avi/gstavidemux.c#L5004

And the size of the buffer is mallocd based on that:

  tmp = g_malloc (stride);

https://gitlab.freedesktop.org/gstreamer/gstreamer/-/blob/main/subprojects/gst-plugins-good/gst/avi/gstavidemux.c#L5015

There is a size check, however the vulnerability is that by choosing stride and h correctly then stride * h will overflow and wrap around, bypassing the size check

  if (map.size < (stride * h)) {
    GST_WARNING ("Buffer is smaller than reported Width x Height x Depth");
    gst_buffer_unmap (buf, &map);
    return buf;
  }

https://gitlab.freedesktop.org/gstreamer/gstreamer/-/blob/main/subprojects/gst-plugins-good/gst/avi/gstavidemux.c#L5009

Thus causing a heap overwrite here:

  for (y = 0; y < h / 2; y++) {
    swap_line (map.data + stride * y, map.data + stride * (h - 1 - y), tmp,
        stride);
  }

https://gitlab.freedesktop.org/gstreamer/gstreamer/-/blob/main/subprojects/gst-plugins-good/gst/avi/gstavidemux.c#L5017

Expected Behavior

Not segfault.

Observed Behavior

segfault.

Setup

  • Operating System: Ubuntu 20.04.4 LTS
  • Device: Computer
  • GStreamer Version: tested on 1.16.2, but vulnerability present on main

Steps to reproduce the bug

  1. Download the attached file: crash-gst.avi

  2. Use gat-play-1.0 to run the file:

gst-play-1.0 ./crash-gst.avi

How reproducible is the bug?

Always

Impact

Likely code execution through heap manipulation, although I only have this crashing POC.

Additional Information

I'd like to request a CVE as part of this process.

Thank you!

Assignee
Assign to
Time tracking