References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to [email protected].

Change History

https://github.com/gpac/gpac/security/advisories/GHSA-3jw5-9pmw-vmfg

GPAC is an open-source multimedia framework. Prior to commit 86b0e36, a heap-based buffer overflow (write) vulnerability was discovered in GPAC MP4Box. The vulnerability exists in the gf_xml_parse_bit_sequence_bs function in utils/xml_bin_custom.c when processing a crafted NHML file containing malicious <BS> (BitSequence) elements. An attacker can exploit this by providing a specially crafted NHML file, causing an out-of-bounds write on the heap. This issue has been via commit 86b0e36.

AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:H

CWE-787

https://github.com/gpac/gpac/commit/86b0e36ea4c71402fbdaf7e13d73ba8841003e72

https://github.com/gpac/gpac/security/advisories/GHSA-3jw5-9pmw-vmfg