what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

GStreamer Heap Overflow And Out Of Bounds

GStreamer Heap Overflow And Out Of Bounds
Posted Jan 23, 2009
Authored by Tobias Klein | Site trapkit.de

GStreamer gst-plugins-good versions below 0.10.12 suffer from heap overflow and array index out of bounds vulnerabilities.

tags | advisory, overflow, vulnerability
SHA-256 | ae5d5f7a93915193f6bbfe67a4de2d6d96a10f53637af659ba372970130ceede

GStreamer Heap Overflow And Out Of Bounds

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Advisory: GStreamer Heap Overflow and Array Index out of
Bounds Vulnerabilities
Advisory ID: TKADV2009-003
Revision: 1.0
Release Date: 2009/01/22
Last Modified: 2009/01/22
Date Reported: 2009/01/17
Author: Tobias Klein (tk at trapkit.de)
Affected Software: GStreamer gst-plugins-good < version 0.10.12
Remotely Exploitable: Yes
Locally Exploitable: No
Vendor URL: http://gstreamer.freedesktop.org/
Vendor Status: Vendor has released an updated version
Patch development time: 5 days


======================
Vulnerability Details:
======================

GStreamer contains several heap buffer overflows and an array index out of
bounds vulnerability while parsing malformed QuickTime media files. The
vulnerabilities may be exploited by a (remote) attacker to execute
arbitrary code in the context of an application using the GStreamer
multimedia framework.

The GStreamer framework is used by a lot of popular media players like
Songbird [1], Totem [2] and Amarok [3].


==================
Technical Details:
==================

Source code file:
gst-plugins-good\gst\qtdemux\qtdemux.c


Description of the first heap buffer overflow vulnerability (vuln #1):
QuickTime 'ctts' Atom parsing

[..]
2915 static gboolean
2916 qtdemux_parse_samples (GstQTDemux * qtdemux, QtDemuxStream * stream,
2917 GNode * stbl)
2918 {
..
3145 /* composition time to sample */
3146 if ((ctts = qtdemux_tree_get_child_by_type (stbl, FOURCC_ctts))) {
3147 const guint8 *ctts_data = (const guint8 *) ctts->data;
3148 guint32 n_entries = QT_UINT32 (ctts_data + 12);
3149 guint32 count;
3150 gint32 soffset;
3151
3152 /* Fill in the pts_offsets */
3153 for (i = 0, j = 0; (j < stream->n_samples) &&
(i < n_entries); i++) {
3154 [1] count = QT_UINT32 (ctts_data + 16 + i * 8);
3155 [2] soffset = QT_UINT32 (ctts_data + 20 + i * 8);
3156 [3] for (k = 0; k < count; k++, j++) {
3157 /* we operate with very small soffset values here, it
shouldn't overflow */
3158 [4] samples[j].pts_offset = soffset * GST_SECOND /
stream->timescale;
3159 }
3160 }
3161 }
[..]

[1] The unsigned int variable "count" is filled with user supplied data
from the media file
[2] The int variable "soffset" is also filled with user supplied data from
the media file
[3] The (loop) counters "k", "count" and "j" can be controlled by the user
[4] User controlled data ("soffset * GST_SECOND / stream->timescale") gets
copied into the heap buffer "samples[]" while "j" is used as an array
index

This leads to a heap buffer overflow vulnerability that may be exploited to
execute arbitrary code in the context of an application using the
GStreamer framework. Exploitation is not easy and may even be impossible as
the written data can only be controlled to some extend.


Description of the array index out of bounds vulnerability (vuln #2):
QuickTime 'stss' Atom parsing

[..]
3045 if (stss) {
3046 /* mark keyframes */
3047 guint32 n_sample_syncs;
3048
3049 [1] n_sample_syncs = QT_UINT32 ((guint8 *) stss->data + 12);
3050 if (n_sample_syncs == 0) {
3051 stream->all_keyframe = TRUE;
3052 } else {
3053 offset = 16;
3054 [2] for (i = 0; i < n_sample_syncs; i++) {
3055 /* note that the first sample is index 1, not 0 */
3056 [3] index = QT_UINT32 ((guint8 *) stss->data + offset);
3057 if (index > 0) {
3058 [4] samples[index - 1].keyframe = TRUE;
3059 offset += 4;
3060 }
3061 }
3062 }
3063 } else {
[..]

[1] The unsigned int variable "n_sample_syncs" is filled with user supplied
data from the media file
[2] "n_sample_syncs" is used as a loop counter
[3] The int variable "index" is filled with user supplied data from the
media file
[4] As the user controlled value of "index" is used as an array index for
the "samples[]" buffer it is possible to write the int value 0x00000001
to (nearly) any location in memory.

A malicious party may exploit this issue to execute arbitrary code by
overwriting a sensitive memory location (such as a buffer length or boolean
variable).


Description of the second heap buffer overflow vulnerability (vuln #3):
QuickTime 'stts' Atom parsing

[..]
3018 [1] n_sample_times = QT_UINT32 ((guint8 *) stts->data + 12);
3019 timestamp = 0;
3020 stream->min_duration = 0;
3021 time = 0;
3022 index = 0;
3023 [2] for (i = 0; i < n_sample_times; i++) {
3024 guint32 n;
3025 guint32 duration;
3026
3027 [3] n = QT_UINT32 ((guint8 *) stts->data + 16 + 8 * i);
3028 [8] duration = QT_UINT32 ((guint8 *) stts->data + 16 + 8 * i + 4);
3029 [4] for (j = 0; j < n; j++) {
3030 GST_DEBUG_OBJECT (qtdemux, "sample %d: timestamp %"
GST_TIME_FORMAT,
3031 index, GST_TIME_ARGS (timestamp));
3032
3033 [5] samples[index].timestamp = timestamp;
3034 /* take first duration for fps */
3035 if (stream->min_duration == 0)
3036 stream->min_duration = duration;
3037 /* add non-scaled values to avoid rounding errors */
3038 [9] time += duration;
3039 [10] timestamp = gst_util_uint64_scale (time, GST_SECOND,
stream->timescale);
3040 [6] samples[index].duration = timestamp - samples[index].timestamp;
3041
3042 [7] index++;
3043 }
3044 }
[..]

[1] The int variable "n_sample_times" is filled with user supplied data
from the media file
[2] "n_sample_times" is used as a loop counter
[3] The unsigned int variable "n" is filled with user supplied data from
the media file
[4] "n" is used as a loop counter
[5] + [6] Partly user controlled data (see [8], [9] and [10]) is copied
into the "samples[]" buffer while "index" is used as an array
index. As "index" is incremented with each loop (see [7]) -- and
the loop counter "n" is user controlled, see [3] and [4] -- it is
possible to write beyond the bounds of the "samples[]" buffer

This leads to a heap buffer overflow vulnerability that may be exploited to
execute arbitrary code in the context of an application using the
GStreamer framework. Exploitation is not easy and may even be impossible as
the written data can only be controlled to some extend.


=========
Solution:
=========

Upgrade to GStreamer gst-plugins-good version >= 0.10.12.


========
History:
========

2009/01/17 - GStreamer maintainers notified
2009/01/20 - Patch developed by GStreamer maintainers
2009/01/22 - Release date of new (fixed) version of GStreamer
2009/01/22 - Release date of this security advisory


========
Credits:
========

Vulnerability found and advisory written by Tobias Klein.


===========
References:
===========

[1] http://getsongbird.com/
[2] http://projects.gnome.org/totem/
[3] http://amarok.kde.org/
[4] http://cgit.freedesktop.org/gstreamer/gst-plugins-
good/commit/?id=bdc20b9baf13564d9a061343416395f8f9a92b53
[5] http://www.trapkit.de/advisories/TKADV2009-003.txt


========
Changes:
========

Revision 0.1 - Initial draft release to the vendor
Revision 1.0 - Public release


===========
Disclaimer:
===========

The information within this advisory may change without notice. Use
of this information constitutes acceptance for use in an AS IS
condition. There are no warranties, implied or express, with regard
to this information. In no event shall the author be liable for any
direct or indirect damages whatsoever arising out of or in connection
with the use or spread of this information. Any use of this
information is at the user's own risk.


==================
PGP Signature Key:
==================

http://www.trapkit.de/advisories/tk-advisories-signature-key.asc


Copyright 2009 Tobias Klein. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG

iD8DBQFJeOFVkXxgcAIbhEERAj1JAKCcH8fTcU75KjBgLOABD9wqUq+y1gCgnH5s
O6PAKd1FPZy4ver1GQ3CRB0=
=XQyw
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    0 Files
  • 12
    Nov 12th
    0 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close