Controlled heap buffer overflow in SDP packet parsing in gpac/gpac


Reported on

Mar 30th 2022


A malicious server can trigger an out-of-bounds heap write via a specially crafted SDP packet due to no bounds check when parsing time zone information into the AdjustmentTime and AdjustmentOffset fields of GF_SDPTiming.

Proof of Concept is available here

(terminal 1)

python3 31337

(terminal 2)

./configure --enable-sanitizer
make -j32
./bin/gcc/gpac -play rtsp://
ietf/sdp.c:624:27: runtime error: index 10 out of bounds for type 'u32 [10]'


Thread 1 "gpac" received signal SIGSEGV, Segmentation fault.
0x00007ffff7828932 in gf_sdp_info_parse () from /gpac/bin/gcc/
(gdb) bt
#0  0x00007ffff7828932 in gf_sdp_info_parse () at /gpac/bin/gcc/
#1  0x00007ffff7be6020 in rtpin_load_sdp () at /gpac/bin/gcc/
#2  0x00007ffff7be6d6c in rtpin_rtsp_describe_process () at /gpac/bin/gcc/
#3  0x00007ffff7be493b in rtpin_rtsp_process_commands () at /gpac/bin/gcc/
#4  0x00007ffff7be3d56 in rtpin_process () at /gpac/bin/gcc/
#5  0x00007ffff7b47945 in gf_filter_process_task () at /gpac/bin/gcc/
#6  0x00007ffff7b34e67 in gf_fs_thread_proc () at /gpac/bin/gcc/
#7  0x00007ffff7b39e1b in gf_fs_run () at /gpac/bin/gcc/
#8  0x0000555555563a43 in gpac_main ()
#9  0x00007ffff744c310 in __libc_start_call_main () at /usr/lib/
#10 0x00007ffff744c3c1 in __libc_start_main_impl () at /usr/lib/
#11 0x0000555555559dc5 in _start ()


This is capable of causing crashes and allowing modification of heap memory which could lead to remote code execution.

We are processing your report and will contact the gpac team within 24 hours. a year ago
We have contacted a member of the gpac team and are waiting to hear back a year ago
gpac/gpac maintainer
a year ago


We have sent a follow up to the gpac team. We will try again in 7 days. a year ago
We have sent a second follow up to the gpac team. We will try again in 10 days. a year ago
gpac/gpac maintainer validated this vulnerability a year ago

Fixed by

Callum Thomson has been awarded the disclosure bounty
The fix bounty is now up for grabs
gpac/gpac maintainer marked this as fixed in 2.1.0-DEV with commit cfaea3 a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
to join this conversation