Stack buffer overflow in XML entity parsing in gpac/gpac


Reported on

Mar 27th 2022


Attempting to parse a XML/SVG file containing an <!ENTITY with a sufficiently long name into a fixed sized, stack allocated buffer causes an overflow.

Proof of Concept

./bin/gcc/gpac -play ./poc-clean.svg

poc-clean.svg available here


*** stack smashing detected ***: terminated
Thread 1 "gpac" received signal SIGABRT, Aborted.
0x00007ffff74b934c in __pthread_kill_implementation () from /usr/lib/
(gdb) bt
#0  0x00007ffff74b934c in __pthread_kill_implementation () at /usr/lib/
#1  0x00007ffff746c4b8 in raise () at /usr/lib/
#2  0x00007ffff7456534 in abort () at /usr/lib/
#3  0x00007ffff74ad397 in __libc_message () at /usr/lib/
#4  0x00007ffff754c2fa in __fortify_fail () at /usr/lib/
#5  0x00007ffff754c2c6 in  () at /usr/lib/
#6  0x00007ffff7754f5a in  () at /gpac/bin/gcc/
#7  0x00007ffff77550e8 in xml_sax_parse () at /gpac/bin/gcc/
#8  0x00007ffff775658b in xml_sax_read_file.part () at /gpac/bin/gcc/
#9  0x00007ffff7756876 in gf_xml_sax_parse_file () at /gpac/bin/gcc/
#10 0x00007ffff79ea5f6 in load_svg_run () at /gpac/bin/gcc/
#11 0x00007ffff7c20471 in svgin_process () at /gpac/bin/gcc/
#12 0x00007ffff7b4f8c5 in gf_filter_process_task () at /gpac/bin/gcc/
#13 0x00007ffff7b3cdc7 in gf_fs_thread_proc () at /gpac/bin/gcc/
#14 0x00007ffff7b41d7b in gf_fs_run () at /gpac/bin/gcc/
#15 0x0000555555563194 in gpac_main ()
#16 0x00007ffff7457310 in __libc_start_call_main () at /usr/lib/
#17 0x00007ffff74573c1 in __libc_start_main_impl () at /usr/lib/
#18 0x0000555555559dc5 in _start ()


No length check on this write to the fixed size array "szName" can go out of bounds with a sufficiently long entity name

We are processing your report and will contact the gpac team within 24 hours. a year ago
We have contacted a member of the gpac team and are waiting to hear back a year ago
gpac/gpac maintainer
a year ago


gpac/gpac maintainer validated this vulnerability a year ago
Callum Thomson has been awarded the disclosure bounty
The fix bounty is now up for grabs
gpac/gpac maintainer marked this as fixed in 2.1.0-DEV with commit a74b68 a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
xml_parser.c#L688 has been validated
to join this conversation