Unhandled SWF Tags in MP4Box: Potential Vulnerability in GPAC in gpac/gpac

Valid

Reported on

Mar 22nd 2023

An unhandled series of SWF tags have been identified in the MP4Box software, which is part of the GPAC multimedia framework. These tags are not properly processed, leading to potential vulnerabilities such as denial of service, buffer overflows, or other malicious attacks.

POC: # ./MP4Box -dash 1000 POC4 LINK: https://drive.google.com/file/d/1hHzxolxklZDG_wtowwUEmel9-HAya9Az/view?usp=share_link

Impact

As a result of these unhandled tags, the software may be prone to exploitation by attackers, who can leverage the vulnerability to compromise the affected system, steal sensitive information, or disrupt normal operations. It is recommended to promptly patch or update the software to a version that addresses these issues to minimize the risk of potential attacks.

We are processing your report and will contact the gpac team within 24 hours. 2 months ago

We have contacted a member of the gpac team and are waiting to hear back 2 months ago

A gpac/gpac maintainer

commented 2 months ago

Maintainer

https://github.com/gpac/gpac/issues/2426

A gpac/gpac maintainer validated this vulnerability 2 months ago

Juan Pablo Lopez Yacubian has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

A gpac/gpac maintainer marked this as fixed in 2.4.0 with commit 2c0551 2 months ago

The fix bounty has been dropped

This vulnerability has been assigned a CVE

A gpac/gpac maintainer published this vulnerability 2 months ago

to join this conversation