NULL Pointer Dereference in gpac/gpac


Reported on

Feb 21st 2022


NULL Pointer Dereference in MP4BOX


MP4Box -info POC6 

POC6 is here.

ASAN result

[iso file] Unknown box type url@ in parent dref
[iso file] Unknown box type traj in parent moov
[iso file] Unknown box type 80rak in parent moov
[iso file] Incomplete box mdat - start 11495 size 901165
[iso file] Incomplete file while reading for dump - aborting parsing
# Movie Info - 4 tracks - TimeScale 90000
Duration 00:00:22.839 (recomputed 00:00:25.004)
Fragmented: no
Progressive (moov before mdat)
Major Brand isom - version 1 - compatible brands:
Created: GMT Wed Sep 14 06:08:31 2078
Modified: GMT Wed Sep 14 06:08:33 2078

File has root IOD (96 bytes)
Scene PL 0xff - Graphics PL 0xff - OD PL 0xff
Visual PL: Simple Profile @ Level 1 (0x01)
Audio PL: High Quality Audio Profile @ Level 2 (0x0f)
1 UDTA types: 

# Track 1 Info - ID 1 - TimeScale 90000
Media Duration 00:00:22.800 
Track uses external data reference not supported by GPAC!
Track flags: Enabled
Media Info: Language "Undetermined (und)" - Type "vide:mp4v" - 342 samples
Media Data Location: (null)
Visual Sample Entry Info: width=176 height=144 (depth=24 bits)
Visual Track layout: x=0 y=0 width=176 height=144
MPEG-4 Config: Visual Stream - ObjectTypeIndication 0x20
MPEG-4 Visual Size 176 x 144 - Simple Profile @ Level 3
Pixel Aspect Ratio 1:1 - Indicated track size 176 x 144
Synchronized on stream 7
    RFC6381 Codec Parameters: mp4v.20.3
    Average GOP length: 31 samples
    Max sample duration: 6000 / 90000

# Track 2 Info - ID 2 - TimeScale 82064
Media Duration 00:00:25.004 
Track flags: Disabled
Media Info: Language "Undetermined (und)" - Type "hint:rtp " - 342 samples
2 UDTA types: 
    hanf: isomedia/isom_read.c:2726:22: runtime error: null pointer passed as argument 2, which is declared to never be null
/usr/include/string.h:44:28: note: nonnull attribute specified here
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior isomedia/isom_read.c:2726:22 in 

We are processing your report and will contact the gpac team within 24 hours. a year ago
zfeixq modified the report
a year ago
We have contacted a member of the gpac team and are waiting to hear back a year ago
We have sent a follow up to the gpac team. We will try again in 7 days. a year ago
We have sent a second follow up to the gpac team. We will try again in 10 days. a year ago
gpac/gpac maintainer
a year ago


gpac/gpac maintainer validated this vulnerability a year ago
zfeixq has been awarded the disclosure bounty
The fix bounty is now up for grabs
gpac/gpac maintainer marked this as fixed in 2.1.0-DEV with commit 6f37ae a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
to join this conversation