The GStreamer project reports multiple security vulnerabilities fixed in the 1.28.2 release:
Several security vulnerabilities were addressed, including:
- H.264 video parser NULL pointer dereference when freeing SPS/MVC data.
- Integer overflows in the AV1 LEB128 parser, H.266/VVC video parser, and WAV parser cue handling.
- Heap buffer overflow in the Matroska demuxer.
- Assertion failures in the FLV demuxer on corrupted streams.
- NULL-pointer dereferences in the mDVDsub subtitle parser.
- Multiple out-of-bounds reads and writes in the MOV/MP4 demuxer audio channel layout parsing.
- Denial of service in SRT/WebVTT parser
These could lead to application crashes, memory exhaustion, or potentially arbitrary code execution.