CVE-2024-47546Integer Underflow (Wrap or Wraparound) in Gstreamer

CWE-191Integer Underflow (Wrap or Wraparound)5 documents5 sources
Severity
6.9MEDIUMNVD
EPSS
0.2%
top 60.42%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
GstreamerDebian Gst-plugins-good1.0
Timeline
PublishedDec 12
Latest updateDec 18

Description

GStreamer is a library for constructing graphs of media-handling components. An integer underflow has been detected in extract_cc_from_data function within qtdemux.c. In the FOURCC_c708 case, the subtraction atom_length - 8 may result in an underflow if atom_length is less than 8. When that subtraction underflows, *cclen ends up being a large number, and then cclen is passed to g_memdup2 leading to an out-of-bounds (OOB) read. This vulnerability is fixed in 1.24.10.

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Affected Packages2 packages

NVDgstreamer/gstreamer< 1.24.10
debiandebian/gst-plugins-good1.0< gst-plugins-good1.0 1.22.0-5+deb12u2 (bookworm)

Patches

Patch: gitlab.freedesktop.org

🔴Vulnerability Details

1
OSV
CVE-2024-47546: GStreamer is a library for constructing graphs of media-handling components2024-12-12

📋Vendor Advisories

3
Ubuntu
GStreamer Good Plugins vulnerabilities2024-12-18
Red Hat
gstreamer1-plugins-good: integer underflow in extract_cc_from_data leading to OOB-read2024-12-11
Debian
CVE-2024-47546: gst-plugins-good1.0 - GStreamer is a library for constructing graphs of media-handling components. An ...2024
CVE-2024-47546 — Integer Underflow (Wrap or Wraparound) | cvebase