| शीर्षक | GPAC commit a95e79308 - b40ce70f5 Heap-based Buffer Overflow |
|---|
| विवरण | A heap-based out-of-bounds read vulnerability exists in GPAC MP4Box in the ISOBMFF sample group description cleanup logic. The issue
affects sgpd_del_entry() in src/isomedia/box_code_base.c when MP4Box processes crafted AV1 input through the -cat operation.
AV1 switching frame sample groups use the GF_ISOM_SAMPLE_GROUP_AV1S grouping type. Their entries are created by sg_av1s_create_entry() in
src/isomedia/isom_write.c as GF_AV1SwitchingEntry objects, which only contain a 4-byte dummy field. However, sgpd_del_entry() does not
contain a dedicated case for GF_ISOM_SAMPLE_GROUP_AV1S. As a result, AV1S entries fall through to the default deletion logic and are
incorrectly cast to GF_DefaultSampleGroupDescriptionEntry.
The default entry type contains a data pointer at offset 8. When sgpd_del_entry() checks ptr->data, it reads 8 bytes from outside the 4-
byte GF_AV1SwitchingEntry allocation, causing a heap-buffer-overflow. This occurs during cleanup after an import failure, when
sgpd_box_del() destroys the sample group description box.
The vulnerability can be triggered with a crafted AV1 media file using:
./MP4Box -cat <crafted_file> white.mp4 -out /dev/null
Successful exploitation can cause MP4Box to crash, resulting in denial of service. The root cause is a missing GF_ISOM_SAMPLE_GROUP_AV1S
deletion branch in sgpd_del_entry(), causing a type confusion between AV1S sample group entries and default sample group description
entries. |
|---|
| स्रोत | ⚠️ https://github.com/gpac/gpac/issues/3398 |
|---|
| उपयोगकर्ता | noki (UID 98507) |
|---|
| सबमिशन | 03/06/2026 02:32 PM (1 महीना पहले) |
|---|
| संयम | 04/07/2026 07:16 AM (1 month later) |
|---|
| स्थिति | स्वीकृत |
|---|
| VulDB प्रविष्टि | 376293 [GPAC तक b40ce70f5 MP4Box box_code_base.c sgpd_del_entry data बफ़र ओवरफ़्लो] |
|---|
| अंक | 20 |
|---|