NULL Pointer Dereference in function xml_sax_append_string in gpac/gpac


Reported on

May 26th 2023


NULL Pointer Dereference In utils/xml_parser.c:963


No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 20.04 LTS
Release:    20.04
Codename:   focal


MP4Box - GPAC version 2.3-DEV-rev293-g56eed04c2-master
(c) 2000-2023 Telecom Paris distributed under LGPL v2.1+ -
    MINI build (encoders, decoders, audio and video output disabled)

Please cite our work in your research:
    GPAC Filters:


sudo CC=gcc CXX=g++ CFLAGS="-fsanitize=address -static-libasan" CXXFLAGS="-fsanitize=address -static-libasan" LDFLAGS="-fsanitize=address -static-libasan" ./configure && sudo make

Proof of Concept

./MP4Box -bin ./gpac_null_ptr_poc

poc is here


./MP4Box -bin ./gpac_null_ptr_poc                                             
==1568303==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f8c0e58e6e5 bp 0x7ffcbc50b160 sp 0x7ffcbc50a8d8 T0)
==1568303==The signal is caused by a READ memory access.
==1568303==Hint: address points to the zero page.
    #0 0x7f8c0e58e6e4  (/lib/x86_64-linux-gnu/
    #1 0x55eab7ceabdb in __interceptor_strlen.part.0 (/home/hack/fuzz/asan_bin/bin/MP4Box+0x62bdb)
    #2 0x7f8c0e879735 in gf_xml_sax_parse_intern (../lib/
    #3 0x7f8c0e879b94 in gf_xml_sax_parse (../lib/
    #4 0x7f8c0e879c32 in xml_sax_read_file.part.0 (../lib/
    #5 0x7f8c0e879f26 in gf_xml_sax_parse_file (../lib/
    #6 0x7f8c0e87af62 in gf_xml_dom_parse (../lib/
    #7 0x55eab7dd34f4 in xml_bs_to_bin (/home/hack/fuzz/asan_bin/bin/MP4Box+0x14b4f4)
    #8 0x55eab7de37cc in mp4box_main (/home/hack/fuzz/asan_bin/bin/MP4Box+0x15b7cc)
    #9 0x7f8c0e42a082 in __libc_start_main ../csu/libc-start.c:308
    #10 0x55eab7ca5e1d in _start (/home/hack/fuzz/asan_bin/bin/MP4Box+0x1de1d)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/lib/x86_64-linux-gnu/ 


This vulnerability is capable of making the MP4Box crash, An attacker who can successfully exploit this vulnerability could potentially execute arbitrary code in the context of the application, leading to a compromise of the system where the vulnerable software is installed. Additionally, the attacker could use this vulnerability to cause a denial of service (DoS) by crashing the application or making it unresponsive. This vulnerability poses a significant risk to the confidentiality, integrity, and availability of systems running the affected software.


NULL Pointer


We are processing your report and will contact the gpac team within 24 hours. 4 months ago
We have contacted a member of the gpac team and are waiting to hear back 4 months ago
gpac/gpac maintainer
4 months ago


gpac/gpac maintainer validated this vulnerability 4 months ago
Sumisca has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
gpac/gpac maintainer marked this as fixed in 2.2.2 with commit 53387a 4 months ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
gpac/gpac maintainer published this vulnerability 4 months ago
xml_parser.c#L971 has been validated
to join this conversation