GStreamer Subparse Plugin Stack Buffer Overflow Vulnerability

A stack buffer overflow vulnerability has been identified in the GStreamer subparse plugin, specifically in the parse_subrip_time function. This vulnerability allows for data to be written beyond the limits of a stack-allocated buffer, potentially leading to arbitrary code execution. The issue arises when the function processes timestamps from SubRip subtitle files, where improper handling can cause zeroes to be appended past the buffer's end, creating a null terminator overflow.

Impact

Exploitation of this vulnerability causes a stack buffer overflow, a common precursor to arbitrary code execution.

Reproduction

The vulnerability can be reproduced by crafting a SubRip subtitle file that includes timestamps formatted in a way that the parser misinterprets, such as by omitting the required comma. When this file is processed by GStreamer, the parse_subrip_time function will attempt to zero-pad the timestamp, inadvertently writing past the buffer's allocated size.

Remediation

Users can upgrade to GStreamer versions 1.26.2 or later, where this vulnerability has been patched. For those using older versions, patch files are available.