| 标题 | GPAC MP4Box <= 2.4.0 (master commit 7508ccc and earlier) Null pointer dereference (Denial of Service) |
|---|
| 描述 | GPAC is an open-source multimedia framework that provides the MP4Box tool for parsing, editing, and streaming MP4 files.
A null pointer dereference vulnerability exists in the MergeFragment() function of GPAC MP4Box 2.4.0 and earlier versions (including master commit 7508ccc). When processing a malformed MP4 file with the "-hint" parameter, the program passes a NULL pointer as the second argument to a libc string/memory function annotated with the "nonnull" attribute. This triggers an UndefinedBehaviorSanitizer (UBSan) error and causes the program to receive a SIGABRT signal, resulting in a denial of service condition.
This issue appears to be related to previously fixed vulnerabilities #2166 and #2600, potentially indicating an incomplete fix or an unhandled edge case.
Reproduction steps:
1. Compile GPAC from the latest master branch (commit 7508ccc) with UndefinedBehaviorSanitizer enabled
2. Obtain the malformed MP4 file (POC) from the attached link
3. Execute the command: ./MP4Box -hint ./malformed.mp4
4. The program crashes with a UBSan null pointer error at isomedia/isom_intern.c:174
Stack trace:
#0 0x7ffff56df1e6 in MergeFragment /home/gpac/gpac-2/slatest/src/isomedia/isom_intern.c:174:5
#1 0x7ffff56e51b3 in gf_isom_parse_movie_boxes_internal /home/gpac/gpac-2/slatest/src/isomedia/isom_intern.c:784:9
#2 0x7ffff56eae39 in gf_isom_open_file /home/gpac/gpac-2/slatest/src/isomedia/isom_intern.c:1081:19
#3 0x5555556a132a in mp4box_main /home/gpac/gpac-2/slatest/applications/mp4box/mp4box.c:6481:12 |
|---|
| 来源 | ⚠️ https://github.com/gpac/gpac/issues/3549 |
|---|
| 用户 | fczhang (UID 97720) |
|---|
| 提交 | 2026-04-30 04時13分 (1 月前) |
|---|
| 管理 | 2026-05-26 12時52分 (26 days later) |
|---|
| 状态 | 已接受 |
|---|
| VulDB条目 | 365629 [GPAC 直到 2.4.0 MP4Box isom_intern.c MergeFragment 拒绝服务] |
|---|
| 积分 | 20 |
|---|