![]() (The target buffer was allocated from the heap, so it seems to me that the risk of arbitrary code injection/execution was rather low as there appears no opportunity to redirect execution flow there.) This was fixed in commit d178f762 of the gst-plugins-base repository a couple of years ago. ![]() I have confirmed by wading through the code and some disassembly magic that this is indeed a bug in gstreamer before 1.11.1: Setting the FOOTER flag in while simultaneously providing a tag size of zero in the tag header would cause a uint underflow that in turn resulted in gstreamer trying to read way past the actual buffer size, thus resulting in the read access violation observed in the CVE. I contacted VoidSec to ask for more information and example MP3 files, which they were nice enough to provide :). ![]() This was fixed in commit 55edcf5 a while ago.ĬVE-2021-40827 was a bit trickier to track down. I have now done some digging on the reported vulnerabilities and both appear to be already fixed.ĬVE-2021-40826 was caused by a potential null pointer dereference in MoodbarPipeline::NewPadCallback when it called self->builder_->Init() while self->builder_ was potentially null.
0 Comments
Leave a Reply. |