| tiêu đề | GPAC v0.9.0 - v2.5-DEV Double Free |
|---|
| Mô tả | A double-free vulnerability exists in GPAC MP4Box in the ISOBMFF NALU sample rewrite logic. The issue affects gf_isom_nalu_sample_rewrite()
in src/isomedia/avc_ext.c when processing crafted AVC/HEVC samples through MP4Box -cat.
During NALU rewriting, mdia->nalu_out_bs may be reassigned to directly reference sample->data. On normal paths the buffer is detached with
gf_bs_get_content_no_truncate(), but when an invalid NAL size is encountered, the function returns through the goto exit error path without
detaching mdia->nalu_out_bs->original from sample->data. This leaves nalu_out_bs->original pointing to a buffer that is later freed as part
of sample cleanup.
When the media box is destroyed, mdia_box_del() calls gf_bs_del() on nalu_out_bs. Since the bitstream is in GF_BITSTREAM_WRITE_DYN mode and
original is still non-NULL, gf_bs_del() frees the same buffer again, resulting in a double-free.
The vulnerability can be triggered by a crafted media file using:
./MP4Box -cat <crafted_file> white.mp4 -out /dev/null
Successful exploitation can cause process crash and denial of service, and may lead to memory corruption depending on allocator behavior.
The issue is fixed by ensuring the error path detaches the reused bitstream buffer before returning. |
|---|
| Nguồn | ⚠️ https://github.com/gpac/gpac/issues/3403 |
|---|
| Người dùng | noki (UID 98507) |
|---|
| Đệ trình | 03/06/2026 14:28 (cách đây 1 tháng) |
|---|
| Kiểm duyệt | 04/07/2026 07:16 (1 month later) |
|---|
| Trạng thái | được chấp nhận |
|---|
| Mục VulDB | 376292 [GPAC đến 2.5-DEV MP4Box src/isomedia/avc_ext.c gf_isom_nalu_sample_rewrite nalu_out_bs tràn bộ đệm] |
|---|
| điểm | 20 |
|---|