Gpac

An issue was discovered in GPAC v0.8.0, as demonstrated by MP4Box

CVE-2024-57184 - January 24, 2025

An issue was discovered in GPAC v0.8.0, as demonstrated by MP4Box. It contains a heap-based buffer overflow in gf_m2ts_process_pmt in media_tools/mpegts.c:2163 that can cause a denial of service (DOS) via a crafted MP4 file.

gpac 2.4 contains a heap-buffer-overflow at isomedia/sample_descs.c:1799 in gf_isom_new_mpha_description in gpac/MP4Box.

CVE-2024-50664 7.8 - High - January 23, 2025

gpac 2.4 contains a heap-buffer-overflow at isomedia/sample_descs.c:1799 in gf_isom_new_mpha_description in gpac/MP4Box.

Memory Corruption

gpac 2.4 contains a SEGV at src/isomedia/drm_sample.c:1562:96 in isom_cenc_get_sai_by_saiz_saio in MP4Box.

CVE-2024-50665 5.5 - Medium - January 23, 2025

gpac 2.4 contains a SEGV at src/isomedia/drm_sample.c:1562:96 in isom_cenc_get_sai_by_saiz_saio in MP4Box.

NULL Pointer Dereference

A use after free vulnerability exists in GPAC version 2.3-DEV-revrelease

CVE-2023-4679 5.5 - Medium - November 15, 2024

A use after free vulnerability exists in GPAC version 2.3-DEV-revrelease, specifically in the gf_filterpacket_del function in filter_core/filter.c at line 38. This vulnerability can lead to a double-free condition, which may cause the application to crash.

Dangling pointer

A vulnerability was found in GPAC 2.5-DEV-rev228-g11067ea92-master

CVE-2024-6063 5.5 - Medium - June 17, 2024

A vulnerability was found in GPAC 2.5-DEV-rev228-g11067ea92-master. It has been classified as problematic. This affects the function m2tsdmx_on_event of the file src/filters/dmx_m2ts.c of the component MP4Box. The manipulation leads to null pointer dereference. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. The patch is named 8767ed0a77c4b02287db3723e92c2169f67c85d5. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-268791.

NULL Pointer Dereference

A vulnerability was found in GPAC 2.5-DEV-rev228-g11067ea92-master

CVE-2024-6064 5.5 - Medium - June 17, 2024

A vulnerability was found in GPAC 2.5-DEV-rev228-g11067ea92-master. It has been declared as problematic. This vulnerability affects the function xmt_node_end of the file src/scene_manager/loader_xmt.c of the component MP4Box. The manipulation leads to use after free. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. The name of the patch is f4b3e4d2f91bc1749e7a924a8ab171af03a355a8/c1b9c794bad8f262c56f3cf690567980d96662f5. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-268792.

Dangling pointer

A vulnerability has been found in GPAC 2.5-DEV-rev228-g11067ea92-master and classified as problematic

CVE-2024-6061 5.5 - Medium - June 17, 2024

A vulnerability has been found in GPAC 2.5-DEV-rev228-g11067ea92-master and classified as problematic. Affected by this vulnerability is the function isoffin_process of the file src/filters/isoffin_read.c of the component MP4Box. The manipulation leads to infinite loop. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. The identifier of the patch is 20c0f29139a82779b86453ce7f68d0681ec7624c. It is recommended to apply a patch to fix this issue. The identifier VDB-268789 was assigned to this vulnerability.

Infinite Loop

A vulnerability was found in GPAC 2.5-DEV-rev228-g11067ea92-master and classified as problematic

CVE-2024-6062 5.5 - Medium - June 17, 2024

A vulnerability was found in GPAC 2.5-DEV-rev228-g11067ea92-master and classified as problematic. Affected by this issue is the function swf_svg_add_iso_sample of the file src/filters/load_text.c of the component MP4Box. The manipulation leads to null pointer dereference. The attack needs to be approached locally. The exploit has been disclosed to the public and may be used. The patch is identified as 31e499d310a48bd17c8b055a0bfe0fe35887a7cd. It is recommended to apply a patch to fix this issue. VDB-268790 is the identifier assigned to this vulnerability.

NULL Pointer Dereference

gpac v2.2.1 was discovered to contain a memory leak

CVE-2024-24265 7.5 - High - February 05, 2024

gpac v2.2.1 was discovered to contain a memory leak via the dst_props variable in the gf_filter_pid_merge_properties_internal function.

Memory Leak

gpac v2.2.1 was discovered to contain a Use-After-Free (UAF) vulnerability

CVE-2024-24266 7.5 - High - February 05, 2024

gpac v2.2.1 was discovered to contain a Use-After-Free (UAF) vulnerability via the dasher_configure_pid function at /src/filters/dasher.c.

Dangling pointer

gpac v2.2.1 was discovered to contain a memory leak

CVE-2024-24267 7.5 - High - February 05, 2024

gpac v2.2.1 was discovered to contain a memory leak via the gfio_blob variable in the gf_fileio_from_blob function.

Memory Leak

GPAC v2.3 was detected to contain a buffer overflow

CVE-2024-22749 7.8 - High - January 25, 2024

GPAC v2.3 was detected to contain a buffer overflow via the function gf_isom_new_generic_sample_description function in the isomedia/isom_write.c:4577

Classic Buffer Overflow

MP4Box GPAC version 2.3-DEV-rev636-gfbd7e13aa-master was discovered to contain an infinite loop in the function av1_uvlc at media_tools/av_parsers.c

CVE-2023-50120 5.5 - Medium - January 10, 2024

MP4Box GPAC version 2.3-DEV-rev636-gfbd7e13aa-master was discovered to contain an infinite loop in the function av1_uvlc at media_tools/av_parsers.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted MP4 file.

Infinite Loop

Stack-based Buffer Overflow in GitHub repository gpac/gpac prior to 2.3-DEV.

CVE-2024-0321 9.8 - Critical - January 08, 2024

Stack-based Buffer Overflow in GitHub repository gpac/gpac prior to 2.3-DEV.

Memory Corruption

Out-of-bounds Read in GitHub repository gpac/gpac prior to 2.3-DEV.

CVE-2024-0322 9.1 - Critical - January 08, 2024

Out-of-bounds Read in GitHub repository gpac/gpac prior to 2.3-DEV.

Out-of-bounds Read

An issue discovered in GPAC 2.3-DEV-rev605-gfc9e29089-master in MP4Box in gf_avc_change_vui /afltest/gpac/src/media_tools/av_parsers.c:6872:55

CVE-2023-46929 7.5 - High - January 03, 2024

An issue discovered in GPAC 2.3-DEV-rev605-gfc9e29089-master in MP4Box in gf_avc_change_vui /afltest/gpac/src/media_tools/av_parsers.c:6872:55 allows attackers to crash the application.

Heap Buffer Overflow vulnerability in GPAC version 2.3-DEV-rev617-g671976fcc-master, allows attackers to execute arbitrary code

CVE-2023-46932 9.8 - Critical - December 09, 2023

Heap Buffer Overflow vulnerability in GPAC version 2.3-DEV-rev617-g671976fcc-master, allows attackers to execute arbitrary code and cause a denial of service (DoS) via str2ulong class in src/media_tools/avilib.c in gpac/MP4Box.

Memory Corruption

An issue in GPAC v.2.2.1 and before

CVE-2023-47465 5.5 - Medium - December 09, 2023

An issue in GPAC v.2.2.1 and before allows a local attacker to cause a denial of service (DoS) via the ctts_box_read function of file src/isomedia/box_code_base.c.

GPAC version 2.3-DEV-rev602-ged8424300-master in MP4Box contains a memory leak in NewSFDouble scenegraph/vrml_tools.c:300

CVE-2023-46871 5.3 - Medium - December 07, 2023

GPAC version 2.3-DEV-rev602-ged8424300-master in MP4Box contains a memory leak in NewSFDouble scenegraph/vrml_tools.c:300. This vulnerability may lead to a denial of service.

Memory Leak

gpac 2.3-DEV-rev617-g671976fcc-master contains memory leaks in gf_mpd_resolve_url media_tools/mpd.c:4589.

CVE-2023-48958 5.5 - Medium - December 07, 2023

gpac 2.3-DEV-rev617-g671976fcc-master contains memory leaks in gf_mpd_resolve_url media_tools/mpd.c:4589.

Memory Leak

GPAC 2.3-DEV-rev617-g671976fcc-master is vulnerable to memory leak in gf_mpd_parse_string media_tools/mpd.c:75.

CVE-2023-48039 5.5 - Medium - November 20, 2023

GPAC 2.3-DEV-rev617-g671976fcc-master is vulnerable to memory leak in gf_mpd_parse_string media_tools/mpd.c:75.

Memory Leak

GPAC 2.3-DEV-rev617-g671976fcc-master is vulnerable to memory leaks in extract_attributes media_tools/m3u8.c:329.

CVE-2023-48090 7.1 - High - November 20, 2023

GPAC 2.3-DEV-rev617-g671976fcc-master is vulnerable to memory leaks in extract_attributes media_tools/m3u8.c:329.

Memory Leak

GPAC v2.3-DEV-rev566-g50c2ab06f-master was discovered to contain a heap-use-after-free

CVE-2023-48011 7.8 - High - November 15, 2023

GPAC v2.3-DEV-rev566-g50c2ab06f-master was discovered to contain a heap-use-after-free via the flush_ref_samples function at /gpac/src/isomedia/movie_fragments.c.

Dangling pointer

GPAC v2.3-DEV-rev566-g50c2ab06f-master was discovered to contain a double free

CVE-2023-48013 7.8 - High - November 15, 2023

GPAC v2.3-DEV-rev566-g50c2ab06f-master was discovered to contain a double free via the gf_filterpacket_del function at /gpac/src/filter_core/filter.c.

Double-free

GPAC v2.3-DEV-rev566-g50c2ab06f-master was discovered to contain a stack overflow

CVE-2023-48014 7.8 - High - November 15, 2023

GPAC v2.3-DEV-rev566-g50c2ab06f-master was discovered to contain a stack overflow via the hevc_parse_vps_extension function at /media_tools/av_parsers.c.

Memory Corruption

MP4Box GPAC v2.3-DEV-rev617-g671976fcc-master was discovered to contain a memory leak in the function gf_isom_add_chapter at /isomedia/isom_write.c

CVE-2023-47384 5.5 - Medium - November 14, 2023

MP4Box GPAC v2.3-DEV-rev617-g671976fcc-master was discovered to contain a memory leak in the function gf_isom_add_chapter at /isomedia/isom_write.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted MP4 file.

Memory Leak

Buffer Overflow vulnerability in gpac MP4Box v.2.3-DEV-rev573-g201320819-master

CVE-2023-46001 5.5 - Medium - November 07, 2023

Buffer Overflow vulnerability in gpac MP4Box v.2.3-DEV-rev573-g201320819-master allows a local attacker to cause a denial of service via the gpac/src/isomedia/isom_read.c:2807:51 function in gf_isom_get_user_data.

Classic Buffer Overflow

Out-of-bounds Read in GitHub repository gpac/gpac prior to 2.3.0-DEV.

CVE-2023-5998 7.5 - High - November 07, 2023

Out-of-bounds Read in GitHub repository gpac/gpac prior to 2.3.0-DEV.

GPAC 2.3-DEV-rev605-gfc9e29089-master contains a heap-buffer-overflow in gf_isom_use_compact_size gpac/src/isomedia/isom_write.c:3403:3 in gpac/MP4Box.

CVE-2023-46927 5.5 - Medium - November 01, 2023

GPAC 2.3-DEV-rev605-gfc9e29089-master contains a heap-buffer-overflow in gf_isom_use_compact_size gpac/src/isomedia/isom_write.c:3403:3 in gpac/MP4Box.

Memory Corruption

GPAC 2.3-DEV-rev605-gfc9e29089-master contains a SEGV in gpac/MP4Box in gf_media_change_pl /afltest/gpac/src/media_tools/isom_tools.c:3293:42.

CVE-2023-46928 5.5 - Medium - November 01, 2023

GPAC 2.3-DEV-rev605-gfc9e29089-master contains a SEGV in gpac/MP4Box in gf_media_change_pl /afltest/gpac/src/media_tools/isom_tools.c:3293:42.

GPAC 2.3-DEV-rev605-gfc9e29089-master contains a SEGV in gpac/MP4Box in gf_isom_find_od_id_for_track /afltest/gpac/src/isomedia/media_odf.c:522:14.

CVE-2023-46930 5.5 - Medium - November 01, 2023

GPAC 2.3-DEV-rev605-gfc9e29089-master contains a SEGV in gpac/MP4Box in gf_isom_find_od_id_for_track /afltest/gpac/src/isomedia/media_odf.c:522:14.

GPAC 2.3-DEV-rev605-gfc9e29089-master contains a heap-buffer-overflow in ffdmx_parse_side_data /afltest/gpac/src/filters/ff_dmx.c:202:14 in gpac/MP4Box.

CVE-2023-46931 5.5 - Medium - November 01, 2023

GPAC 2.3-DEV-rev605-gfc9e29089-master contains a heap-buffer-overflow in ffdmx_parse_side_data /afltest/gpac/src/filters/ff_dmx.c:202:14 in gpac/MP4Box.

Memory Corruption

Denial of Service in GitHub repository gpac/gpac prior to 2.3.0-DEV.

CVE-2023-5595 5.5 - Medium - October 16, 2023

Denial of Service in GitHub repository gpac/gpac prior to 2.3.0-DEV.

NULL Pointer Dereference in GitHub repository gpac/gpac prior to 2.3.0-DEV.

CVE-2023-5586 7.8 - High - October 15, 2023

NULL Pointer Dereference in GitHub repository gpac/gpac prior to 2.3.0-DEV.

NULL Pointer Dereference

An issue in GPAC GPAC v.2.2.1 and before

CVE-2023-42298 5.5 - Medium - October 12, 2023

An issue in GPAC GPAC v.2.2.1 and before allows a local attacker to cause a denial of service via the Q_DecCoordOnUnitSphere function of file src/bifs/unquantize.c.

Integer Overflow or Wraparound

Out-of-bounds Read in GitHub repository gpac/gpac prior to 2.2.2.

CVE-2023-5520 7.1 - High - October 11, 2023

Out-of-bounds Read in GitHub repository gpac/gpac prior to 2.2.2.

Out-of-bounds Read

Out-of-bounds Read in GitHub repository gpac/gpac prior to v2.2.2-DEV.

CVE-2023-5377 7.1 - High - October 04, 2023

Out-of-bounds Read in GitHub repository gpac/gpac prior to v2.2.2-DEV.

Out-of-bounds Read

GPAC through 2.2.1 has a use-after-free vulnerability in the function gf_bifs_flush_command_list in bifs/memory_decoder.c.

CVE-2023-41000 5.5 - Medium - September 11, 2023

GPAC through 2.2.1 has a use-after-free vulnerability in the function gf_bifs_flush_command_list in bifs/memory_decoder.c.

Dangling pointer

Out-of-bounds Read in GitHub repository gpac/gpac prior to 2.3-DEV.

CVE-2023-4778 5.5 - Medium - September 05, 2023

Out-of-bounds Read in GitHub repository gpac/gpac prior to 2.3-DEV.

Out-of-bounds Read

Buffer Over-read in GitHub repository gpac/gpac prior to 2.3-DEV.

CVE-2023-4758 5.5 - Medium - September 04, 2023

Buffer Over-read in GitHub repository gpac/gpac prior to 2.3-DEV.

Out-of-bounds Read

Use After Free in GitHub repository gpac/gpac prior to 2.3-DEV.

CVE-2023-4755 5.5 - Medium - September 04, 2023

Use After Free in GitHub repository gpac/gpac prior to 2.3-DEV.

Dangling pointer

Stack-based Buffer Overflow in GitHub repository gpac/gpac prior to 2.3-DEV.

CVE-2023-4756 5.5 - Medium - September 04, 2023

Stack-based Buffer Overflow in GitHub repository gpac/gpac prior to 2.3-DEV.

Memory Corruption

Out-of-bounds Write in GitHub repository gpac/gpac prior to 2.3-DEV.

CVE-2023-4754 5.5 - Medium - September 04, 2023

Out-of-bounds Write in GitHub repository gpac/gpac prior to 2.3-DEV.

Memory Corruption

Floating Point Comparison with Incorrect Operator in GitHub repository gpac/gpac prior to 2.3-DEV.

CVE-2023-4720 5.5 - Medium - September 01, 2023

Floating Point Comparison with Incorrect Operator in GitHub repository gpac/gpac prior to 2.3-DEV.

Floating Point Comparison with Incorrect Operator

Out-of-bounds Read in GitHub repository gpac/gpac prior to 2.3-DEV.

CVE-2023-4721 5.5 - Medium - September 01, 2023

Out-of-bounds Read in GitHub repository gpac/gpac prior to 2.3-DEV.

Out-of-bounds Read

Integer Overflow or Wraparound in GitHub repository gpac/gpac prior to 2.3-DEV.

CVE-2023-4722 5.5 - Medium - September 01, 2023

Integer Overflow or Wraparound in GitHub repository gpac/gpac prior to 2.3-DEV.

Integer Overflow or Wraparound

Heap-based Buffer Overflow in GitHub repository gpac/gpac prior to 2.3-DEV.

CVE-2023-4682 5.5 - Medium - August 31, 2023

Heap-based Buffer Overflow in GitHub repository gpac/gpac prior to 2.3-DEV.

Heap-based Buffer Overflow

NULL Pointer Dereference in GitHub repository gpac/gpac prior to 2.3-DEV.

CVE-2023-4681 5.5 - Medium - August 31, 2023

NULL Pointer Dereference in GitHub repository gpac/gpac prior to 2.3-DEV.

NULL Pointer Dereference

NULL Pointer Dereference in GitHub repository gpac/gpac prior to 2.3-DEV.

CVE-2023-4683 5.5 - Medium - August 31, 2023

NULL Pointer Dereference in GitHub repository gpac/gpac prior to 2.3-DEV.

NULL Pointer Dereference

Divide By Zero in GitHub repository gpac/gpac prior to 2.3-DEV.

CVE-2023-4678 5.5 - Medium - August 31, 2023

Divide By Zero in GitHub repository gpac/gpac prior to 2.3-DEV.

Divide By Zero