Headline
CVE-2022-1921: avidemux: heap buffer overwrite in gst_avi_demux_invert/swap_line (#1224) · Issues · GStreamer / gstreamer · GitLab
Integer overflow in avidemux element in gst_avi_demux_invert function which allows a heap overwrite while parsing avi files. Potential for arbitrary code execution through heap overwrite.
Describe the vulnerability
heap-based buffer overflow in avidemux element, specifically in the functions gst_avi_demux_invert/swap_line.
The root cause vulnerability is that these values come from the .avi file:
h = stream->strf.vids->height;
w = stream->strf.vids->width;
bpp = stream->strf.vids->bit_cnt ? stream->strf.vids->bit_cnt : 8;
stride = GST_ROUND_UP_4 (w * (bpp / 8));
https://gitlab.freedesktop.org/gstreamer/gstreamer/-/blob/main/subprojects/gst-plugins-good/gst/avi/gstavidemux.c#L5004
And the size of the buffer is mallocd based on that:
tmp = g_malloc (stride);
https://gitlab.freedesktop.org/gstreamer/gstreamer/-/blob/main/subprojects/gst-plugins-good/gst/avi/gstavidemux.c#L5015
There is a size check, however the vulnerability is that by choosing stride and h correctly then stride * h will overflow and wrap around, bypassing the size check
if (map.size < (stride * h)) {
GST_WARNING ("Buffer is smaller than reported Width x Height x Depth");
gst_buffer_unmap (buf, &map);
return buf;
}
https://gitlab.freedesktop.org/gstreamer/gstreamer/-/blob/main/subprojects/gst-plugins-good/gst/avi/gstavidemux.c#L5009
Thus causing a heap overwrite here:
for (y = 0; y < h / 2; y++) {
swap_line (map.data + stride * y, map.data + stride * (h - 1 - y), tmp,
stride);
}
https://gitlab.freedesktop.org/gstreamer/gstreamer/-/blob/main/subprojects/gst-plugins-good/gst/avi/gstavidemux.c#L5017
Expected Behavior
Not segfault.
Observed Behavior
segfault.
Setup
- Operating System: Ubuntu 20.04.4 LTS
- Device: Computer
- GStreamer Version: tested on 1.16.2, but vulnerability present on main
Steps to reproduce the bug
Download the attached file: crash-gst.avi
Use gat-play-1.0 to run the file:
gst-play-1.0 ./crash-gst.avi
How reproducible is the bug?
Always
Impact
Likely code execution through heap manipulation, although I only have this crashing POC.
Additional Information
I’d like to request a CVE as part of this process.
Thank you!
Related news
Gentoo Linux Security Advisory 202409-13 - Multiple vulnerabilities have been discovered in gst-plugins-good, the worst of which could lead to denial of service or arbitrary code execution. Versions greater than or equal to 1.20.3 are affected.
Red Hat Security Advisory 2023-2260-01 - GStreamer is a streaming media framework based on graphs of filters which operate on media data. The gstreamer1-plugins-good packages contain a collection of well-supported plug-ins of good quality and under the LGPL license. Issues addressed include a buffer overflow vulnerability.
An update for gstreamer1-plugins-good is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1920: A flaw was found in GStreamer. An integer overflow can lead to a heap-based buffer overflow in the mkv demuxer when processing a specially crafted Matroska file. This vulnerability can result in application crash, memory corruption, and code execution. * CVE-2022-1921: A flaw was found in GStreamer. An integer overflow can lead to ...
OpenHarmony-v3.1.2 and prior versions have a heap overflow vulnerability. Local attackers can trigger a heap overflow and get network sensitive information.
Ubuntu Security Notice 5555-1 - It was discovered that GStreamer Good Plugins incorrectly handled certain files. An attacker could possibly use this issue to execute arbitrary code. It was discovered that GStreamer Good Plugins incorrectly handled certain files. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code.