Headline
CVE-2022-2122: matroska: segfault / potential heap overflow in zlib decoding (#1225) · Issues · GStreamer / gstreamer · GitLab
DOS / potential heap overwrite in qtdemux using zlib decompression. Integer overflow in qtdemux element in qtdemux_inflate function which causes a segfault, or could cause a heap overwrite, depending on libc and OS. Depending on the libc used, and the underlying OS capabilities, it could be just a segfault or a heap overwrite.
Describe the vulnerability
Integer overflow while decoding zlib encoded data in gst_matroska_decompress_data.
The given crashing POC zlib-decode-overflow-1.mkv has a block that when zlib decompressed is 0x100000000.
This overflows the new_size integer here: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/blob/main/subprojects/gst-plugins-good/gst/matroska/matroska-read-common.c#L117
One potential root cause is that the zstream data counters are 64-bit: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/blob/main/subprojects/gst-plugins-good/gst/matroska/matroska-read-common.c#L105
while 32-bit integers are used to store the size in gst_matroska_decompress_data https://gitlab.freedesktop.org/gstreamer/gstreamer/-/blob/main/subprojects/gst-plugins-good/gst/matroska/matroska-read-common.c#L80
Expected Behavior
Not segfault.
Observed Behavior
Segfault
Setup
- Operating System: Ubuntu 20.04.4
- Device: Computer
- GStreamer Version: 1.16.2
- Command line: gst-play-1.0 ./zlib-decode-overflow-1.mkv
Steps to reproduce the bug
- Download zlib-decode-overflow-1.mkv
- Run gst-play-1.0 ./zlib-decode-overflow-1.mkv (takes about 8 seconds to trigger on my system)
How reproducible is the bug?
Always
Impact
Depending on the libc used, and the underlying OS capabilities, it could be just a segfault or a heap overwrite.
If the libc uses mmap for large chunks, and the OS supports mmap, then it is just a segfault (because the realloc before the integer overflow will use mremap to reduce the size of the chunk, and it will start to write to unmapped memory).
However, if using a libc implementation that does not use mmap, or if the OS does not support mmap while using libc, then this would likely result in a heap overwrite.
Additional Information
Not sure if this qualifies for a CVE, not sure what this project does in the past. Happy to discuss.
Thanks!
Related news
Gentoo Linux Security Advisory 202409-13 - Multiple vulnerabilities have been discovered in gst-plugins-good, the worst of which could lead to denial of service or arbitrary code execution. Versions greater than or equal to 1.20.3 are affected.
Red Hat Security Advisory 2023-2260-01 - GStreamer is a streaming media framework based on graphs of filters which operate on media data. The gstreamer1-plugins-good packages contain a collection of well-supported plug-ins of good quality and under the LGPL license. Issues addressed include a buffer overflow vulnerability.
An update for gstreamer1-plugins-good is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1920: A flaw was found in GStreamer. An integer overflow can lead to a heap-based buffer overflow in the mkv demuxer when processing a specially crafted Matroska file. This vulnerability can result in application crash, memory corruption, and code execution. * CVE-2022-1921: A flaw was found in GStreamer. An integer overflow can lead to ...
OpenHarmony-v3.1.2 and prior versions have a heap overflow vulnerability. Local attackers can trigger a heap overflow and get network sensitive information.
Ubuntu Security Notice 5555-1 - It was discovered that GStreamer Good Plugins incorrectly handled certain files. An attacker could possibly use this issue to execute arbitrary code. It was discovered that GStreamer Good Plugins incorrectly handled certain files. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code.