In GPAC 0.7.1 and earlier, gftextgetutf8line in mediatools/textimport.c in libgpac_static.a allows an out-of-bounds write because a certain -1 return value is mishandled.
{
"unresolved_ranges": [
{
"cpes": [
"cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*",
"cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*",
"cpe:2.3:o:canonical:ubuntu_linux:18.10:*:*:*:*:*:*:*"
],
"extracted_events": [
{
"introduced": "16.04"
},
{
"last_affected": "16.04"
},
{
"introduced": "18.04"
},
{
"last_affected": "18.04"
},
{
"introduced": "18.10"
},
{
"last_affected": "18.10"
}
],
"source": "CPE_STRING",
"vendor_product": "canonical:ubuntu_linux"
},
{
"cpes": [
"cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*"
],
"extracted_events": [
{
"introduced": "8.0"
},
{
"last_affected": "8.0"
}
],
"source": "CPE_STRING",
"vendor_product": "debian:debian_linux"
}
]
}{
"extracted_events": [
{
"introduced": "0"
},
{
"last_affected": "0.7.1"
}
],
"cpe": "cpe:2.3:a:gpac:gpac:*:*:*:*:*:*:*:*",
"source": [
"CPE_RANGE",
"REFERENCES"
]
}"2026-07-08T17:17:47Z"
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-20760.json"
[
{
"signature_type": "Line",
"target": {
"file": "src/media_tools/text_import.c"
},
"deprecated": false,
"digest": {
"line_hashes": [
"166482483231269289728412799493455409256",
"294305885484496685493816442798177987069",
"339237291132411872005631746324972709639",
"275142320839685856229007254720329448643"
],
"threshold": 0.9
},
"id": "CVE-2018-20760-0f0f89f8",
"source": "https://github.com/gpac/gpac/commit/4c1360818fc8948e9307059fba4dc47ba8ad255d",
"signature_version": "v1"
},
{
"signature_type": "Function",
"target": {
"file": "src/media_tools/text_import.c",
"function": "gf_text_get_utf8_line"
},
"deprecated": false,
"digest": {
"length": 1613.0,
"function_hash": "99797345829505119259293328342837626094"
},
"id": "CVE-2018-20760-5f3fa077",
"source": "https://github.com/gpac/gpac/commit/4c1360818fc8948e9307059fba4dc47ba8ad255d",
"signature_version": "v1"
}
]