Fedora Account System
Red Hat Associate
Red Hat Customer
A 1-byte heap out-of-bounds read vulnerability exists in the gst_h264_parse_process_nal() function in subprojects/gst-plugins-bad/gst/videoparsers/gsth264parse.c. The function processes H.264 NAL units including GST_H264_NAL_SLICE_EXT (NAL type 20) for MVC/SVC extension slices. At line 1132, the code dereferences *(nalu->data + nalu->offset + nalu->header_bytes) to check the first_mb_in_slice flag without first verifying that nalu->size > nalu->header_bytes. For extension slice types, header_bytes is set to 4 (1 byte base + 3 bytes extension header per gsth264parser.c:243). A malformed NAL unit with exactly size==4 passes the minimum size check (size >= 2 at line 999) but triggers a 1-byte read at offset 4, which is beyond the allocated buffer. The same bounds check pattern is correctly implemented in gst_h264_parse_collect_nal() at line 1259 with if (nalu->size > nalu->header_bytes). The vulnerability affects GStreamer 1.x versions (tested against git version 1.29.1.1). Upstream maintainer Sebastian Droege confirmed the vulnerability via GitLab work item 5108. Reported by Dr. Faruk Kazi, Ramesh Adhikari, and Ariba Afroz from CoE-CNDS Lab, VJTI, Mumbai, India. PSIRT Ticket: PSIRTSUPT-17585.