GStreamer Heap-Based Buffer Overread Vulnerability in MP4 Demuxing

A heap out-of-bounds read vulnerability has been identified in the GStreamer isomp4 plugin, specifically in versions prior to 1.26.2. The issue arises in the qtdemux_parse_trak function, which may read beyond the end of a heap buffer while parsing the 'stsd' atom(s) of an MP4 file. This vulnerability could lead to information disclosure.

Impact

Exploitation of this vulnerability may result in an out-of-bounds read, potentially allowing attackers to access sensitive data or manipulate the application in unintended ways.

Reproduction

The vulnerability can be reproduced by using a crafted MP4 file that exploits the out-of-bounds read condition. This can be done by truncating the 'mvhd' atom in a way that causes the qtdemux_parse_trak function to read past the end of the buffer. The GStreamer pipeline can be set up to use the 'qtdemux' element, and the 'pad-added' signal can be connected to a sink element to facilitate playback. When the pipeline is run, the out-of-bounds read will occur, and the leaked data can be observed.

Remediation

Users can upgrade to GStreamer version 1.26.2 or apply the available patch for older versions.