CVE-2017-5845 in GStreamer
Summary
by MITRE
The gst_avi_demux_parse_ncdt function in gst/avi/gstavidemux.c in gst-plugins-good in GStreamer before 1.10.3 allows remote attackers to cause a denial of service (invalid memory read and crash) via a ncdt sub-tag that "goes behind" the surrounding tag.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 03/17/2026
The vulnerability identified as CVE-2017-5845 resides within the GStreamer multimedia framework's gst-plugins-good component, specifically in the gst_avi_demux_parse_ncdt function located in the gst/avi/gstavidemux.c file. This flaw represents a classic buffer overread condition that occurs during the parsing of AVI file format structures, particularly when processing ncdt sub-tags. The issue manifests when the ncdt sub-tag extends beyond the boundaries of its parent tag, creating an invalid memory access pattern that leads to application instability. The vulnerability affects GStreamer versions prior to 1.10.3, indicating a widespread exposure across multiple release cycles of the multimedia framework.
The technical exploitation of this vulnerability occurs through malformed AVI files that contain specially crafted ncdt sub-tags extending beyond their containing tag boundaries. When the gst_avi_demux_parse_ncdt function attempts to parse such malformed data, it performs memory reads beyond allocated buffer boundaries, resulting in invalid memory access. This invalid memory read triggers a segmentation fault or similar memory access violation that causes the target application to crash. The flaw demonstrates characteristics consistent with CWE-125, which describes "Out-of-bounds Read" conditions where programs access memory locations outside the bounds of allocated buffers. The vulnerability operates at the parsing layer of the multimedia framework, making it particularly dangerous as it can be triggered by simply opening or processing an infected AVI file.
From an operational impact perspective, this vulnerability creates a significant denial of service risk for applications that rely on GStreamer for multimedia processing. Remote attackers can craft malicious AVI files that will cause any application using the affected GStreamer components to crash when attempting to parse or play the file. This affects a wide range of applications including media players, video processing software, and content management systems that utilize GStreamer's AVI demuxing capabilities. The vulnerability's remote exploitability means that attackers can deliver malicious content through various channels such as email attachments, web downloads, or file sharing platforms without requiring local system access. The impact extends beyond simple crashes to potentially disrupt media services and create availability issues for systems processing multimedia content.
The mitigation strategy for CVE-2017-5845 primarily involves upgrading to GStreamer version 1.10.3 or later, which includes patches that properly validate tag boundaries and prevent invalid memory reads. Organizations should implement comprehensive patch management procedures to ensure all systems utilizing GStreamer components receive the necessary updates. Additionally, input validation measures should be implemented at application layers that process AVI files, including the use of sandboxed environments or restricted file format parsing. Security teams should consider implementing network-based intrusion detection systems that can identify and block suspicious AVI file content patterns. The vulnerability's characteristics align with ATT&CK technique T1203, "Exploitation for Client Execution," as it enables remote code execution through the manipulation of multimedia file formats. Organizations should also consider implementing file type validation and content inspection mechanisms to prevent the processing of malformed multimedia files that could trigger this or similar buffer overread conditions.