Gpac Gpac

Do you want an email whenever new security vulnerabilities are reported in Gpac?

By the Year

In 2021 there have been 91 vulnerabilities in Gpac with an average score of 7.0 out of ten. Last year Gpac had 9 security vulnerabilities published. That is, 82 more vulnerabilities have already been reported in 2021 as compared to last year. However, the average CVE base score of the vulnerabilities in 2021 is greater by 1.03.

Year Vulnerabilities Average Score
2021 91 7.01
2020 9 5.98
2019 23 6.20
2018 3 9.13

It may take a day or so for new Gpac vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Gpac Security Vulnerabilities

An issue was discovered in gpac 0.8.0

CVE-2020-22678 5.5 - Medium - October 12, 2021

An issue was discovered in gpac 0.8.0. The gf_media_nalu_remove_emulation_bytes function in av_parsers.c has a heap-based buffer overflow which can lead to a denial of service (DOS) via a crafted input.

Memory Corruption

An issue was discovered in gpac 0.8.0

CVE-2020-22677 5.5 - Medium - October 12, 2021

An issue was discovered in gpac 0.8.0. The dump_data_hex function in box_dump.c has a heap-based buffer overflow which can lead to a denial of service (DOS) via a crafted input.

Memory Corruption

An issue was discovered in gpac 0.8.0

CVE-2020-22675 5.5 - Medium - October 12, 2021

An issue was discovered in gpac 0.8.0. The GetGhostNum function in stbl_read.c has a heap-based buffer overflow which can lead to a denial of service (DOS) via a crafted input.

Memory Corruption

An issue was discovered in gpac 0.8.0

CVE-2020-22674 5.5 - Medium - October 12, 2021

An issue was discovered in gpac 0.8.0. An invalid memory dereference exists in the function FixTrackID located in isom_intern.c, which allows attackers to cause a denial of service (DoS) via a crafted input.

NULL Pointer Dereference

Memory leak in the sgpd_parse_entry function in MP4Box in gpac 0.8.0

CVE-2020-22679 5.5 - Medium - October 12, 2021

Memory leak in the sgpd_parse_entry function in MP4Box in gpac 0.8.0 allows attackers to cause a denial of service (DoS) via a crafted input.

Memory Leak

Memory leak in the senc_Parse function in MP4Box in gpac 0.8.0

CVE-2020-22673 5.5 - Medium - October 12, 2021

Memory leak in the senc_Parse function in MP4Box in gpac 0.8.0 allows attackers to cause a denial of service (DoS) via a crafted input.

Memory Leak

An issue was discovered in gpac 0.8.0

CVE-2020-23266 5.5 - Medium - September 22, 2021

An issue was discovered in gpac 0.8.0. The OD_ReadUTF8String function in odf_code.c has a heap-based buffer overflow which can lead to a denial of service (DOS) via a crafted media file.

Memory Corruption

An issue was discovered in gpac 0.8.0

CVE-2020-23267 7.1 - High - September 22, 2021

An issue was discovered in gpac 0.8.0. The gf_hinter_track_process function in isom_hinter_track_process.c has a heap-based buffer overflow which can lead to a denial of service (DOS) via a crafted media file

Memory Corruption

An issue was discovered in gpac 0.8.0

CVE-2020-23269 5.5 - Medium - September 22, 2021

An issue was discovered in gpac 0.8.0. The stbl_GetSampleSize function in isomedia/stbl_read.c has a heap-based buffer overflow which can lead to a denial of service (DOS) via a crafted media file.

Memory Corruption

Buffer overflow vulnerability in function gf_fprintf in os_file.c in gpac before 1.0.1 allows attackers to execute arbitrary code

CVE-2021-32268 7.8 - High - September 20, 2021

Buffer overflow vulnerability in function gf_fprintf in os_file.c in gpac before 1.0.1 allows attackers to execute arbitrary code. The fixed version is 1.0.1.

Memory Corruption

An issue was discovered in gpac through 20200801

CVE-2021-32271 7.8 - High - September 20, 2021

An issue was discovered in gpac through 20200801. A stack-buffer-overflow exists in the function DumpRawUIConfig located in odf_dump.c. It allows an attacker to cause code Execution.

Memory Corruption

An issue was discovered in gpac through 20200801

CVE-2021-32270 5.5 - Medium - September 20, 2021

An issue was discovered in gpac through 20200801. A NULL pointer dereference exists in the function vwid_box_del located in box_code_base.c. It allows an attacker to cause Denial of Service.

NULL Pointer Dereference

An issue was discovered in gpac through 20200801

CVE-2021-32269 5.5 - Medium - September 20, 2021

An issue was discovered in gpac through 20200801. A NULL pointer dereference exists in the function ilst_item_box_dump located in box_dump.c. It allows an attacker to cause Denial of Service.

NULL Pointer Dereference

Memory leak in the gf_isom_get_root_od function in MP4Box in GPAC 1.0.1

CVE-2021-33365 5.5 - Medium - September 13, 2021

Memory leak in the gf_isom_get_root_od function in MP4Box in GPAC 1.0.1 allows attackers to read memory via a crafted file.

Buffer Overflow

Memory leak in the infe_box_read function in MP4Box in GPAC 1.0.1

CVE-2021-33363 5.5 - Medium - September 13, 2021

Memory leak in the infe_box_read function in MP4Box in GPAC 1.0.1 allows attackers to read memory via a crafted file.

Buffer Overflow

Memory leak in the afra_box_read function in MP4Box in GPAC 1.0.1

CVE-2021-33361 5.5 - Medium - September 13, 2021

Memory leak in the afra_box_read function in MP4Box in GPAC 1.0.1 allows attackers to read memory via a crafted file.

Buffer Overflow

The gf_isom_vp_config_get function in GPAC 1.0.1

CVE-2021-32139 5.5 - Medium - September 13, 2021

The gf_isom_vp_config_get function in GPAC 1.0.1 allows attackers to cause a denial of service (NULL pointer dereference) via a crafted file in the MP4Box command.

NULL Pointer Dereference

The DumpTrackInfo function in GPAC 1.0.1

CVE-2021-32138 5.5 - Medium - September 13, 2021

The DumpTrackInfo function in GPAC 1.0.1 allows attackers to cause a denial of service (NULL pointer dereference) via a crafted file in the MP4Box command.

NULL Pointer Dereference

Memory leak in the gf_isom_oinf_read_entry function in MP4Box in GPAC 1.0.1

CVE-2021-33366 5.5 - Medium - September 13, 2021

Memory leak in the gf_isom_oinf_read_entry function in MP4Box in GPAC 1.0.1 allows attackers to read memory via a crafted file.

Memory Leak

Memory leak in the def_parent_box_new function in MP4Box in GPAC 1.0.1

CVE-2021-33364 5.5 - Medium - September 13, 2021

Memory leak in the def_parent_box_new function in MP4Box in GPAC 1.0.1 allows attackers to read memory via a crafted file.

Memory Leak

Stack buffer overflow in the hevc_parse_vps_extension function in MP4Box in GPAC 1.0.1

CVE-2021-33362 7.8 - High - September 13, 2021

Stack buffer overflow in the hevc_parse_vps_extension function in MP4Box in GPAC 1.0.1 allows attackers to cause a denial of service or execute arbitrary code via a crafted file.

Memory Corruption

The trak_box_size function in GPAC 1.0.1

CVE-2021-32135 5.5 - Medium - September 13, 2021

The trak_box_size function in GPAC 1.0.1 allows attackers to cause a denial of service (NULL pointer dereference) via a crafted file in the MP4Box command.

NULL Pointer Dereference

The abst_box_size function in GPAC 1.0.1

CVE-2021-32132 5.5 - Medium - September 13, 2021

The abst_box_size function in GPAC 1.0.1 allows attackers to cause a denial of service (NULL pointer dereference) via a crafted file in the MP4Box command.

NULL Pointer Dereference

Heap buffer overflow in the URL_GetProtocolType function in MP4Box in GPAC 1.0.1

CVE-2021-32137 5.5 - Medium - September 13, 2021

Heap buffer overflow in the URL_GetProtocolType function in MP4Box in GPAC 1.0.1 allows attackers to cause a denial of service or execute arbitrary code via a crafted file.

Memory Corruption

The gf_odf_desc_copy function in GPAC 1.0.1

CVE-2021-32134 5.5 - Medium - September 13, 2021

The gf_odf_desc_copy function in GPAC 1.0.1 allows attackers to cause a denial of service (NULL pointer dereference) via a crafted file in the MP4Box command.

NULL Pointer Dereference

Heap buffer overflow in the print_udta function in MP4Box in GPAC 1.0.1

CVE-2021-32136 7.8 - High - September 13, 2021

Heap buffer overflow in the print_udta function in MP4Box in GPAC 1.0.1 allows attackers to cause a denial of service or execute arbitrary code via a crafted file.

Memory Corruption

An issue was discovered in gpac 0.8.0

CVE-2020-19751 9.1 - Critical - September 07, 2021

An issue was discovered in gpac 0.8.0. The gf_odf_del_ipmp_tool function in odf_code.c has a heap-based buffer over-read.

Out-of-bounds Read

An issue was discovered in gpac 0.8.0

CVE-2020-19750 7.5 - High - September 07, 2021

An issue was discovered in gpac 0.8.0. The strdup function in box_code_base.c has a heap-based buffer over-read.

Out-of-bounds Read

An exploitable integer overflow vulnerability exists within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1

CVE-2021-21850 8.8 - High - August 25, 2021

An exploitable integer overflow vulnerability exists within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1. A specially crafted MPEG-4 input can cause an integer overflow when the library encounters an atom using the trun FOURCC code due to unchecked arithmetic resulting in a heap-based buffer overflow that causes memory corruption. An attacker can convince a user to open a video to trigger this vulnerability.

Integer Overflow or Wraparound

An exploitable integer overflow vulnerability exists within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1

CVE-2021-21849 8.8 - High - August 25, 2021

An exploitable integer overflow vulnerability exists within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1. A specially crafted MPEG-4 input can cause an integer overflow when the library encounters an atom using the tfra FOURCC code due to unchecked arithmetic resulting in a heap-based buffer overflow that causes memory corruption. An attacker can convince a user to open a video to trigger this vulnerability.

Integer Overflow or Wraparound

An exploitable integer overflow vulnerability exists within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1

CVE-2021-21848 8.8 - High - August 25, 2021

An exploitable integer overflow vulnerability exists within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1. The library will actually reuse the parser for atoms with the stsz FOURCC code when parsing atoms that use the stz2 FOURCC code and can cause an integer overflow due to unchecked arithmetic resulting in a heap-based buffer overflow that causes memory corruption. An attacker can convince a user to open a video to trigger this vulnerability.

Integer Overflow or Wraparound

An exploitable integer overflow vulnerability exists within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1

CVE-2021-21842 8.8 - High - August 25, 2021

An exploitable integer overflow vulnerability exists within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1. A specially crafted MPEG-4 input can cause an integer overflow when processing an atom using the 'ssix' FOURCC code, due to unchecked arithmetic resulting in a heap-based buffer overflow that causes memory corruption. An attacker can convince a user to open a video to trigger this vulnerability.

Integer Overflow or Wraparound

An exploitable integer overflow vulnerability exists within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1

CVE-2021-21841 8.8 - High - August 25, 2021

An exploitable integer overflow vulnerability exists within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1. A specially crafted MPEG-4 input when reading an atom using the 'sbgp' FOURCC code can cause an integer overflow due to unchecked arithmetic resulting in a heap-based buffer overflow that causes memory corruption. An attacker can convince a user to open a video to trigger this vulnerability.

Integer Overflow or Wraparound

An exploitable integer overflow vulnerability exists within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1

CVE-2021-21840 8.8 - High - August 25, 2021

An exploitable integer overflow vulnerability exists within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1. A specially crafted MPEG-4 input used to process an atom using the saio FOURCC code cause an integer overflow due to unchecked arithmetic resulting in a heap-based buffer overflow that causes memory corruption. An attacker can convince a user to open a video to trigger this vulnerability.

Integer Overflow or Wraparound

An exploitable integer overflow vulnerability exists within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1

CVE-2021-21836 8.8 - High - August 25, 2021

An exploitable integer overflow vulnerability exists within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1. A specially crafted MPEG-4 input using the ctts FOURCC code can cause an integer overflow due to unchecked arithmetic resulting in a heap-based buffer overflow that causes memory corruption. An attacker can convince a user to open a video to trigger this vulnerability.

Integer Overflow or Wraparound

An exploitable integer overflow vulnerability exists within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1

CVE-2021-21835 8.8 - High - August 25, 2021

An exploitable integer overflow vulnerability exists within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1. A specially crafted MPEG-4 input when decoding the atom associated with the csgp FOURCC can cause an integer overflow due to unchecked arithmetic resulting in a heap-based buffer overflow that causes memory corruption. An attacker can convince a user to open a video to trigger this vulnerability.

Integer Overflow or Wraparound

An exploitable integer overflow vulnerability exists within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1

CVE-2021-21834 8.8 - High - August 25, 2021

An exploitable integer overflow vulnerability exists within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1. A specially crafted MPEG-4 input when decoding the atom for the co64 FOURCC can cause an integer overflow due to unchecked arithmetic resulting in a heap-based buffer overflow that causes memory corruption. An attacker can convince a user to open a video to trigger this vulnerability.

Integer Overflow or Wraparound

Multiple exploitable integer truncation vulnerabilities exist within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1

CVE-2021-21862 7.8 - High - August 18, 2021

Multiple exploitable integer truncation vulnerabilities exist within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1. A specially crafted MPEG-4 input can cause an improper memory allocation resulting in a heap-based buffer overflow that causes memory corruption The implementation of the parser used for the Xtra FOURCC code is handled. An attacker can convince a user to open a video to trigger this vulnerability.

Integer Overflow or Wraparound

Multiple exploitable integer overflow vulnerabilities exist within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1

CVE-2021-21858 8.8 - High - August 18, 2021

Multiple exploitable integer overflow vulnerabilities exist within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1. A specially crafted MPEG-4 input can cause an integer overflow due to unchecked addition arithmetic resulting in a heap-based buffer overflow that causes memory corruption. An attacker can convince a user to open a video to trigger this vulnerability.

Integer Overflow or Wraparound

Multiple exploitable integer overflow vulnerabilities exist within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1

CVE-2021-21857 8.8 - High - August 18, 2021

Multiple exploitable integer overflow vulnerabilities exist within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1. A specially crafted MPEG-4 input can cause an integer overflow due to unchecked addition arithmetic resulting in a heap-based buffer overflow that causes memory corruption. An attacker can convince a user to open a video to trigger this vulnerability.

Integer Overflow or Wraparound

Multiple exploitable integer overflow vulnerabilities exist within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1

CVE-2021-21856 8.8 - High - August 18, 2021

Multiple exploitable integer overflow vulnerabilities exist within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1. A specially crafted MPEG-4 input can cause an integer overflow due to unchecked addition arithmetic resulting in a heap-based buffer overflow that causes memory corruption. An attacker can convince a user to open a video to trigger this vulnerability.

Integer Overflow or Wraparound

Multiple exploitable integer overflow vulnerabilities exist within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1

CVE-2021-21855 8.8 - High - August 18, 2021

Multiple exploitable integer overflow vulnerabilities exist within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1. A specially crafted MPEG-4 input can cause an integer overflow due to unchecked addition arithmetic resulting in a heap-based buffer overflow that causes memory corruption. An attacker can convince a user to open a video to trigger this vulnerability.

Integer Overflow or Wraparound

Multiple exploitable integer overflow vulnerabilities exist within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1

CVE-2021-21854 8.8 - High - August 18, 2021

Multiple exploitable integer overflow vulnerabilities exist within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1. A specially crafted MPEG-4 input can cause an integer overflow due to unchecked addition arithmetic resulting in a heap-based buffer overflow that causes memory corruption. An attacker can convince a user to open a video to trigger this vulnerability.

Integer Overflow or Wraparound

Multiple exploitable integer overflow vulnerabilities exist within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1

CVE-2021-21853 8.8 - High - August 18, 2021

Multiple exploitable integer overflow vulnerabilities exist within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1. A specially crafted MPEG-4 input can cause an integer overflow due to unchecked addition arithmetic resulting in a heap-based buffer overflow that causes memory corruption. An attacker can convince a user to open a video to trigger this vulnerability.

Integer Overflow or Wraparound

Multiple exploitable integer overflow vulnerabilities exist within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1

CVE-2021-21852 8.8 - High - August 18, 2021

Multiple exploitable integer overflow vulnerabilities exist within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1. A specially crafted MPEG-4 input at stss decoder can cause an integer overflow due to unchecked arithmetic resulting in a heap-based buffer overflow that causes memory corruption. An attacker can convince a user to open a video to trigger this vulnerability.

Integer Overflow or Wraparound

Multiple exploitable integer overflow vulnerabilities exist within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1

CVE-2021-21851 8.8 - High - August 18, 2021

Multiple exploitable integer overflow vulnerabilities exist within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1. A specially crafted MPEG-4 input at csgp decoder sample group description indices can cause an integer overflow due to unchecked arithmetic resulting in a heap-based buffer overflow that causes memory corruption. An attacker can convince a user to open a video to trigger this vulnerability.

Integer Overflow or Wraparound

Multiple exploitable integer overflow vulnerabilities exist within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1

CVE-2021-21847 8.8 - High - August 18, 2021

Multiple exploitable integer overflow vulnerabilities exist within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1. A specially crafted MPEG-4 input in stts decoder can cause an integer overflow due to unchecked arithmetic resulting in a heap-based buffer overflow that causes memory corruption. An attacker can convince a user to open a video to trigger this vulnerability.

Integer Overflow or Wraparound

Multiple exploitable integer overflow vulnerabilities exist within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1

CVE-2021-21846 8.8 - High - August 18, 2021

Multiple exploitable integer overflow vulnerabilities exist within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1. A specially crafted MPEG-4 input in stsz decoder can cause an integer overflow due to unchecked arithmetic resulting in a heap-based buffer overflow that causes memory corruption. An attacker can convince a user to open a video to trigger this vulnerability.

Integer Overflow or Wraparound

Multiple exploitable integer overflow vulnerabilities exist within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1

CVE-2021-21845 8.8 - High - August 18, 2021

Multiple exploitable integer overflow vulnerabilities exist within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1. A specially crafted MPEG-4 input in stsc decoder can cause an integer overflow due to unchecked arithmetic resulting in a heap-based buffer overflow that causes memory corruption. An attacker can convince a user to open a video to trigger this vulnerability.

Integer Overflow or Wraparound

Multiple exploitable integer overflow vulnerabilities exist within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1

CVE-2021-21844 8.8 - High - August 18, 2021

Multiple exploitable integer overflow vulnerabilities exist within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1. A specially crafted MPEG-4 input when encountering an atom using the stco FOURCC code, can cause an integer overflow due to unchecked arithmetic resulting in a heap-based buffer overflow that causes memory corruption. An attacker can convince a user to open a video to trigger this vulnerability.

Integer Overflow or Wraparound

Multiple exploitable integer overflow vulnerabilities exist within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1

CVE-2021-21843 8.8 - High - August 18, 2021

Multiple exploitable integer overflow vulnerabilities exist within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1. A specially crafted MPEG-4 input can cause an integer overflow due to unchecked arithmetic resulting in a heap-based buffer overflow that causes memory corruption. After validating the number of ranges, at [41] the library will multiply the count by the size of the GF_SubsegmentRangeInfo structure. On a 32-bit platform, this multiplication can result in an integer overflow causing the space of the array being allocated to be less than expected. An attacker can convince a user to open a video to trigger this vulnerability.

Integer Overflow or Wraparound

Multiple exploitable integer overflow vulnerabilities exist within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1

CVE-2021-21839 8.8 - High - August 18, 2021

Multiple exploitable integer overflow vulnerabilities exist within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1. A specially crafted MPEG-4 input can cause an integer overflow due to unchecked arithmetic resulting in a heap-based buffer overflow that causes memory corruption. An attacker can convince a user to open a video to trigger this vulnerability.

Integer Overflow or Wraparound

Multiple exploitable integer overflow vulnerabilities exist within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1

CVE-2021-21838 8.8 - High - August 18, 2021

Multiple exploitable integer overflow vulnerabilities exist within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1. A specially crafted MPEG-4 input can cause an integer overflow due to unchecked arithmetic resulting in a heap-based buffer overflow that causes memory corruption. An attacker can convince a user to open a video to trigger this vulnerability.

Integer Overflow or Wraparound

Multiple exploitable integer overflow vulnerabilities exist within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1

CVE-2021-21837 8.8 - High - August 18, 2021

Multiple exploitable integer overflow vulnerabilities exist within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1. A specially crafted MPEG-4 input can cause an integer overflow due to unchecked arithmetic resulting in a heap-based buffer overflow that causes memory corruption. An attacker can convince a user to open a video to trigger this vulnerability.

Integer Overflow or Wraparound

An exploitable integer truncation vulnerability exists within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1

CVE-2021-21861 8.8 - High - August 16, 2021

An exploitable integer truncation vulnerability exists within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1. When processing the 'hdlr' FOURCC code, a specially crafted MPEG-4 input can cause an improper memory allocation resulting in a heap-based buffer overflow that causes memory corruption. An attacker can convince a user to open a video to trigger this vulnerability.

Incorrect Conversion between Numeric Types

An exploitable integer truncation vulnerability exists within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1

CVE-2021-21860 8.8 - High - August 16, 2021

An exploitable integer truncation vulnerability exists within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1. A specially crafted MPEG-4 input can cause an improper memory allocation resulting in a heap-based buffer overflow that causes memory corruption. The FOURCC code, 'trik', is parsed by the function within the library. An attacker can convince a user to open a video to trigger this vulnerability.

Incorrect Conversion between Numeric Types

An exploitable integer truncation vulnerability exists within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1

CVE-2021-21859 8.8 - High - August 16, 2021

An exploitable integer truncation vulnerability exists within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1. The stri_box_read function is used when processing atoms using the 'stri' FOURCC code. An attacker can convince a user to open a video to trigger this vulnerability.

Integer Overflow or Wraparound

The Media_RewriteODFrame function in GPAC 1.0.1

CVE-2021-32440 5.5 - Medium - August 11, 2021

The Media_RewriteODFrame function in GPAC 1.0.1 allows attackers to cause a denial of service (NULL pointer dereference) via a crafted file in the MP4Box command.

NULL Pointer Dereference

Buffer overflow in the stbl_AppendSize function in MP4Box in GPAC 1.0.1

CVE-2021-32439 7.8 - High - August 11, 2021

Buffer overflow in the stbl_AppendSize function in MP4Box in GPAC 1.0.1 allows attackers to cause a denial of service or execute arbitrary code via a crafted file.

Classic Buffer Overflow

The gf_media_export_filters function in GPAC 1.0.1

CVE-2021-32438 5.5 - Medium - August 11, 2021

The gf_media_export_filters function in GPAC 1.0.1 allows attackers to cause a denial of service (NULL pointer dereference) via a crafted file in the MP4Box command.

NULL Pointer Dereference

The gf_hinter_finalize function in GPAC 1.0.1

CVE-2021-32437 5.5 - Medium - August 11, 2021

The gf_hinter_finalize function in GPAC 1.0.1 allows attackers to cause a denial of service (NULL pointer dereference) via a crafted file in the MP4Box command.

NULL Pointer Dereference

An issue was discovered in GPAC 1.0.1

CVE-2021-36584 5.5 - Medium - August 05, 2021

An issue was discovered in GPAC 1.0.1. There is a heap-based buffer overflow in the function gp_rtp_builder_do_tx3g function in ietf/rtp_pck_3gpp.c, as demonstrated by MP4Box. This can cause a denial of service (DOS).

Memory Corruption

An issue was discovered in GPAC v0.8.0, as demonstrated by MP4Box

CVE-2020-24829 5.5 - Medium - August 04, 2021

An issue was discovered in GPAC v0.8.0, as demonstrated by MP4Box. It contains a heap-based buffer overflow in gf_m2ts_section_complete in media_tools/mpegts.c that can cause a denial of service (DOS) via a crafted MP4 file.

Memory Corruption

The gf_dash_segmenter_probe_input function in GPAC v0.8

CVE-2020-22352 5.5 - Medium - August 04, 2021

The gf_dash_segmenter_probe_input function in GPAC v0.8 allows attackers to cause a denial of service (NULL pointer dereference) via a crafted file in the MP4Box command.

NULL Pointer Dereference

An issue was discovered in box_code_apple.c:119 in Gpac MP4Box 0.8.0

CVE-2020-19488 5.5 - Medium - July 21, 2021

An issue was discovered in box_code_apple.c:119 in Gpac MP4Box 0.8.0, allows attackers to cause a Denial of Service due to an invalid read on function ilst_item_Read.

NULL Pointer Dereference

An issue was discovered in GPAC before 0.8.0, as demonstrated by MP4Box

CVE-2020-19481 5.5 - Medium - July 21, 2021

An issue was discovered in GPAC before 0.8.0, as demonstrated by MP4Box. It contains an invalid memory read in gf_m2ts_process_pmt in media_tools/mpegts.c that can cause a denial of service via a crafted MP4 file.

Out-of-bounds Read

An issue was discovered in gpac before 1.0.1

CVE-2020-23928 7.1 - High - April 21, 2021

An issue was discovered in gpac before 1.0.1. The abst_box_read function in box_code_adobe.c has a heap-based buffer over-read.

Out-of-bounds Read

An issue was discovered in gpac through 20200801

CVE-2020-23930 5.5 - Medium - April 21, 2021

An issue was discovered in gpac through 20200801. A NULL pointer dereference exists in the function nhmldump_send_header located in write_nhml.c. It allows an attacker to cause Denial of Service.

NULL Pointer Dereference

An issue was discovered in gpac before 1.0.1

CVE-2020-23931 7.1 - High - April 21, 2021

An issue was discovered in gpac before 1.0.1. The abst_box_read function in box_code_adobe.c has a heap-based buffer over-read.

Out-of-bounds Read

An issue was discovered in gpac before 1.0.1

CVE-2020-23932 5.5 - Medium - April 21, 2021

An issue was discovered in gpac before 1.0.1. A NULL pointer dereference exists in the function dump_isom_sdp located in filedump.c. It allows an attacker to cause Denial of Service.

NULL Pointer Dereference

An issue was discovered in GPAC version 0.8.0 and 1.0.1

CVE-2020-35982 7.8 - High - April 21, 2021

An issue was discovered in GPAC version 0.8.0 and 1.0.1. There is an invalid pointer dereference in the function gf_hinter_track_finalize() in media_tools/isom_hinter.c.

NULL Pointer Dereference

An issue was discovered in GPAC version 0.8.0 and 1.0.1

CVE-2020-35981 7.8 - High - April 21, 2021

An issue was discovered in GPAC version 0.8.0 and 1.0.1. There is an invalid pointer dereference in the function SetupWriters() in isomedia/isom_store.c.

NULL Pointer Dereference

An issue was discovered in GPAC version 0.8.0 and 1.0.1

CVE-2020-35980 7.8 - High - April 21, 2021

An issue was discovered in GPAC version 0.8.0 and 1.0.1. There is a use-after-free in the function gf_isom_box_del() in isomedia/box_funcs.c.

Dangling pointer

An issue was discovered in GPAC version 0.8.0 and 1.0.1

CVE-2020-35979 7.8 - High - April 21, 2021

An issue was discovered in GPAC version 0.8.0 and 1.0.1. There is heap-based buffer overflow in the function gp_rtp_builder_do_avc() in ietf/rtp_pck_mpeg4.c.

Memory Corruption

There is a integer overflow in function filter_core/filter_props.c:gf_props_assign_value in GPAC 1.0.1

CVE-2021-29279 7.8 - High - April 19, 2021

There is a integer overflow in function filter_core/filter_props.c:gf_props_assign_value in GPAC 1.0.1. In which, the arg const GF_PropertyValue *value,maybe value->value.data.size is a negative number. In result, memcpy in gf_props_assign_value failed.

Memory Corruption

There is a integer overflow in media_tools/av_parsers.c in the hevc_parse_slice_segment function in GPAC 1.0.1

CVE-2021-30014 5.5 - Medium - April 19, 2021

There is a integer overflow in media_tools/av_parsers.c in the hevc_parse_slice_segment function in GPAC 1.0.1 which results in a crash.

Integer Overflow or Wraparound

There is a Null Pointer Dereference in function filter_core/filter_pck.c:gf_filter_pck_new_alloc_internal in GPAC 1.0.1

CVE-2021-30015 5.5 - Medium - April 19, 2021

There is a Null Pointer Dereference in function filter_core/filter_pck.c:gf_filter_pck_new_alloc_internal in GPAC 1.0.1. The pid comes from function av1dmx_parse_flush_sample, the ctx.opid maybe NULL. The result is a crash in gf_filter_pck_new_alloc_internal.

NULL Pointer Dereference

In the adts_dmx_process function in filters/reframe_adts.c in GPAC 1.0.1

CVE-2021-30019 5.5 - Medium - April 19, 2021

In the adts_dmx_process function in filters/reframe_adts.c in GPAC 1.0.1, a crafted file may cause ctx->hdr.frame_size to be smaller than ctx->hdr.hdr_size, resulting in size to be a negative number and a heap overflow in the memcpy.

Memory Corruption

In the function gf_hevc_read_pps_bs_internal function in media_tools/av_parsers.c in GPAC 1.0.1 there is a loop

CVE-2021-30020 5.5 - Medium - April 19, 2021

In the function gf_hevc_read_pps_bs_internal function in media_tools/av_parsers.c in GPAC 1.0.1 there is a loop, which with crafted file, pps->num_tile_columns may be larger than sizeof(pps->column_width), which results in a heap overflow in the loop.

Memory Corruption

There is a integer overflow in media_tools/av_parsers.c in the gf_avc_read_pps_bs_internal in GPAC 1.0.1

CVE-2021-30022 5.5 - Medium - April 19, 2021

There is a integer overflow in media_tools/av_parsers.c in the gf_avc_read_pps_bs_internal in GPAC 1.0.1. pps_id may be a negative number, so it will not return. However, avc->pps only has 255 unit, so there is an overflow, which results a crash.

Integer Overflow or Wraparound

In filters/reframe_latm.c in GPAC 1.0.1 there is a Null Pointer Dereference, when gf_filter_pck_get_data is called

CVE-2021-30199 5.5 - Medium - April 19, 2021

In filters/reframe_latm.c in GPAC 1.0.1 there is a Null Pointer Dereference, when gf_filter_pck_get_data is called. The first arg pck may be null with a crafted mp4 file,which results in a crash.

NULL Pointer Dereference

Buffer overflow in the abst_box_read function in MP4Box in GPAC 1.0.1

CVE-2021-31255 7.8 - High - April 19, 2021

Buffer overflow in the abst_box_read function in MP4Box in GPAC 1.0.1 allows attackers to cause a denial of service or execute arbitrary code via a crafted file.

Classic Buffer Overflow

Memory leak in the stbl_GetSampleInfos function in MP4Box in GPAC 1.0.1

CVE-2021-31256 5.5 - Medium - April 19, 2021

Memory leak in the stbl_GetSampleInfos function in MP4Box in GPAC 1.0.1 allows attackers to read memory via a crafted file.

Buffer Overflow

The HintFile function in GPAC 1.0.1

CVE-2021-31257 5.5 - Medium - April 19, 2021

The HintFile function in GPAC 1.0.1 allows attackers to cause a denial of service (NULL pointer dereference) via a crafted file in the MP4Box command.

NULL Pointer Dereference

The gf_isom_set_extraction_slc function in GPAC 1.0.1

CVE-2021-31258 5.5 - Medium - April 19, 2021

The gf_isom_set_extraction_slc function in GPAC 1.0.1 allows attackers to cause a denial of service (NULL pointer dereference) via a crafted file in the MP4Box command.

NULL Pointer Dereference

The gf_isom_cenc_get_default_info_internal function in GPAC 1.0.1

CVE-2021-31259 5.5 - Medium - April 19, 2021

The gf_isom_cenc_get_default_info_internal function in GPAC 1.0.1 allows attackers to cause a denial of service (NULL pointer dereference) via a crafted file in the MP4Box command.

NULL Pointer Dereference

The MergeTrack function in GPAC 1.0.1

CVE-2021-31260 5.5 - Medium - April 19, 2021

The MergeTrack function in GPAC 1.0.1 allows attackers to cause a denial of service (NULL pointer dereference) via a crafted file in the MP4Box command.

NULL Pointer Dereference

The gf_hinter_track_new function in GPAC 1.0.1

CVE-2021-31261 5.5 - Medium - April 19, 2021

The gf_hinter_track_new function in GPAC 1.0.1 allows attackers to read memory via a crafted file in the MP4Box command.

Buffer Overflow

The AV1_DuplicateConfig function in GPAC 1.0.1

CVE-2021-31262 5.5 - Medium - April 19, 2021

The AV1_DuplicateConfig function in GPAC 1.0.1 allows attackers to cause a denial of service (NULL pointer dereference) via a crafted file in the MP4Box command.

NULL Pointer Dereference

Buffer overflow in the tenc_box_read function in MP4Box in GPAC 1.0.1

CVE-2021-31254 7.8 - High - April 19, 2021

Buffer overflow in the tenc_box_read function in MP4Box in GPAC 1.0.1 allows attackers to cause a denial of service or execute arbitrary code via a crafted file, related invalid IV sizes.

Memory Corruption

NULL Pointer Dereference in the "isomedia/track.c" module's "MergeTrack()" function of GPAC v0.5.2

CVE-2021-28300 9.8 - Critical - April 14, 2021

NULL Pointer Dereference in the "isomedia/track.c" module's "MergeTrack()" function of GPAC v0.5.2 allows attackers to execute arbitrary code or cause a Denial-of-Service (DoS) by uploading a malicious MP4 file.

NULL Pointer Dereference

An issue was discovered in libgpac.a in GPAC 0.8.0, as demonstrated by MP4Box

CVE-2020-11558 9.8 - Critical - April 05, 2020

An issue was discovered in libgpac.a in GPAC 0.8.0, as demonstrated by MP4Box. audio_sample_entry_Read in isomedia/box_code_base.c does not properly decide when to make gf_isom_box_del calls. This leads to various use-after-free outcomes involving mdia_Read, gf_isom_delete_movie, and gf_isom_parse_movie_boxes.

Dangling pointer

An issue was discovered in libgpac.a in GPAC before 0.8.0, as demonstrated by MP4Box

CVE-2019-20628 5.5 - Medium - March 24, 2020

An issue was discovered in libgpac.a in GPAC before 0.8.0, as demonstrated by MP4Box. It contains a Use-After-Free vulnerability in gf_m2ts_process_pmt in media_tools/mpegts.c that can cause a denial of service via a crafted MP4 file.

Dangling pointer

An issue was discovered in libgpac.a in GPAC before 0.8.0, as demonstrated by MP4Box

CVE-2019-20629 5.5 - Medium - March 24, 2020

An issue was discovered in libgpac.a in GPAC before 0.8.0, as demonstrated by MP4Box. It contains a heap-based buffer over-read in gf_m2ts_process_pmt in media_tools/mpegts.c that can cause a denial of service via a crafted MP4 file.

Out-of-bounds Read

An issue was discovered in libgpac.a in GPAC before 0.8.0, as demonstrated by MP4Box

CVE-2019-20630 5.5 - Medium - March 24, 2020

An issue was discovered in libgpac.a in GPAC before 0.8.0, as demonstrated by MP4Box. It contains a heap-based buffer over-read in BS_ReadByte (called from gf_bs_read_bit) in utils/bitstream.c that can cause a denial of service via a crafted MP4 file.

Out-of-bounds Read

An issue was discovered in libgpac.a in GPAC before 0.8.0, as demonstrated by MP4Box

CVE-2019-20631 5.5 - Medium - March 24, 2020

An issue was discovered in libgpac.a in GPAC before 0.8.0, as demonstrated by MP4Box. It contains an invalid pointer dereference in gf_list_count in utils/list.c that can cause a denial of service via a crafted MP4 file.

Release of Invalid Pointer or Reference

An issue was discovered in libgpac.a in GPAC before 0.8.0, as demonstrated by MP4Box

CVE-2019-20632 5.5 - Medium - March 24, 2020

An issue was discovered in libgpac.a in GPAC before 0.8.0, as demonstrated by MP4Box. It contains an invalid pointer dereference in gf_odf_delete_descriptor in odf/desc_private.c that can cause a denial of service via a crafted MP4 file.

Release of Invalid Pointer or Reference

An issue was discovered in GPAC version 0.8.0

CVE-2020-6630 5.5 - Medium - January 09, 2020

An issue was discovered in GPAC version 0.8.0. There is a NULL pointer dereference in the function gf_isom_get_media_data_size() in isomedia/isom_read.c.

NULL Pointer Dereference

An issue was discovered in GPAC version 0.8.0

CVE-2020-6631 5.5 - Medium - January 09, 2020

An issue was discovered in GPAC version 0.8.0. There is a NULL pointer dereference in the function gf_m2ts_stream_process_pmt() in media_tools/m2ts_mux.c.

NULL Pointer Dereference

dimC_Read in isomedia/box_code_3gpp.c in GPAC 0.8.0 has a stack-based buffer overflow.

CVE-2019-20208 5.5 - Medium - January 02, 2020

dimC_Read in isomedia/box_code_3gpp.c in GPAC 0.8.0 has a stack-based buffer overflow.

Memory Corruption

Stay on top of Security Vulnerabilities

Want an email whenever new vulnerabilities are published for Gpac or by Gpac? Click the Watch button to subscribe.

Gpac
Vendor

Gpac
Product

subscribe