Headline
CVE-2022-1920: matroska: heap overwrite in gst_matroska_demux_add_wvpk_header (#1226) · Issues · GStreamer / gstreamer · GitLab
Integer overflow in matroskademux element in gst_matroska_demux_add_wvpk_header function which allows a heap overwrite while parsing matroska files. Potential for arbitrary code execution through heap overwrite.
Describe the vulnerability
The vulnerability is an integer overflow in gst_matroska_demux_add_wvpk_header which leads to a heap overwrite.
The allocation of newbuf can overflow so if blocksize is very large.
newbuf =
gst_buffer_new_allocate (NULL, WAVPACK4_HEADER_SIZE + blocksize,
NULL);
https://gitlab.freedesktop.org/gstreamer/gstreamer/-/blob/main/subprojects/gst-plugins-good/gst/matroska/matroska-demux.c#L3980
Later in the function, memory is copied from our data to outdata (which is mapped from newbuf, and blocksize is used (which is very large)
memcpy (outdata, data, blocksize);
https://gitlab.freedesktop.org/gstreamer/gstreamer/-/blob/main/subprojects/gst-plugins-good/gst/matroska/matroska-demux.c#L4002
An interesting note is that this would be impossible to trigger because of the size check on blocks in gst_matroska_demux_check_read_size, which restricts ebml blocks to size MAX_BLOCK_SIZE: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/blob/main/subprojects/gst-plugins-good/gst/matroska/matroska-demux.c#L5332
However, you can get around this by using zlib to decompress a block that is < MAX_BLOCK_SIZE into something much larger.
Expected Behavior
Not segfault.
Observed Behavior
Segfault.
Setup
- Operating System: Ubuntu 20.04.4
- Device: Computer
- GStreamer Version: 1.16.2
Steps to reproduce the bug
- Download
- Run gst-play-1.0 ./wvpk-crash.mkvwvpk-crash.mkv (note it takes awhile, roughly 20 seconds on my machine to crash).
How reproducible is the bug?
Always.
Impact
Heap overwrite. An attacker can survive the overwrite by careful massaging of the heap, and corrupt heap objects and heap metadata (I have done this part). This can lead to arbitrary code execution (although I have not done this part).
Additional Information
I’d like to request a CVE for this vulnerability.
Thank you, happy to help.
Related news
Gentoo Linux Security Advisory 202409-13 - Multiple vulnerabilities have been discovered in gst-plugins-good, the worst of which could lead to denial of service or arbitrary code execution. Versions greater than or equal to 1.20.3 are affected.
Red Hat Security Advisory 2023-2260-01 - GStreamer is a streaming media framework based on graphs of filters which operate on media data. The gstreamer1-plugins-good packages contain a collection of well-supported plug-ins of good quality and under the LGPL license. Issues addressed include a buffer overflow vulnerability.
An update for gstreamer1-plugins-good is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1920: A flaw was found in GStreamer. An integer overflow can lead to a heap-based buffer overflow in the mkv demuxer when processing a specially crafted Matroska file. This vulnerability can result in application crash, memory corruption, and code execution. * CVE-2022-1921: A flaw was found in GStreamer. An integer overflow can lead to ...
OpenHarmony-v3.1.2 and prior versions have a heap overflow vulnerability. Local attackers can trigger a heap overflow and get network sensitive information.
Ubuntu Security Notice 5555-1 - It was discovered that GStreamer Good Plugins incorrectly handled certain files. An attacker could possibly use this issue to execute arbitrary code. It was discovered that GStreamer Good Plugins incorrectly handled certain files. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code.