CVE-2018-20762

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2018-20762
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-20762.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2018-20762
Downstream
Related
Published
2019-02-06T23:29:00Z
Modified
2025-10-21T04:33:41.472648Z
Severity
  • 7.8 (High) CVSS_V3 - CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

GPAC version 0.7.1 and earlier has a buffer overflow vulnerability in the catmultiplefiles function in applications/mp4box/fileimport.c when MP4Box is used for a local directory containing crafted filenames.

References

Affected packages

Git / github.com/gpac/gpac

Affected ranges

Type
GIT
Repo
https://github.com/gpac/gpac
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
35ab4475a7df9b2a4bcab235e379c0c3ec543658

Affected versions

v0.*

v0.5.2
v0.6.0
v0.6.1
v0.7.0
v0.7.1

Database specific

vanir_signatures

[
    {
        "source": "https://github.com/gpac/gpac/commit/35ab4475a7df9b2a4bcab235e379c0c3ec543658",
        "target": {
            "file": "applications/mp4client/main.c"
        },
        "id": "CVE-2018-20762-138b9cbe",
        "deprecated": false,
        "digest": {
            "line_hashes": [
                "177806710708948801023466107337935595194",
                "101179168692257285273967622649824482615",
                "142365261581564202298399807691257604892",
                "29961273418044651086605550132794292427",
                "10609050882929854190783234901260810949",
                "13758865279394679676425726873429352093",
                "137098705219827375748825150314849161523",
                "249612812635717977904490394944552865247",
                "300563767472421716329546861368598055552",
                "162069967702304411113772687533291794467",
                "334065887476312938473516292269748808408",
                "153920100334872794026847679421893687691",
                "148338080290635430922058106989875262390",
                "251059782858831595628415134830674452886",
                "188163686190837325114706975240648923495",
                "302914892325916670735888427970652105481",
                "320711065323366901188902124088569198477",
                "160055706343848487710053992116068498215",
                "129972362995167018935924128987383797919",
                "289596222244060192319445051389433850753",
                "97131646810314901201167157187342208826",
                "57332432781208856566032034995164514236",
                "105187912328225746919900045399207183304",
                "258631037694452500310373557875252021317",
                "54820847704567186114802404349166771063",
                "336630550262938593278012641622956435631"
            ],
            "threshold": 0.9
        },
        "signature_type": "Line",
        "signature_version": "v1"
    },
    {
        "source": "https://github.com/gpac/gpac/commit/35ab4475a7df9b2a4bcab235e379c0c3ec543658",
        "target": {
            "function": "cat_multiple_files",
            "file": "applications/mp4box/fileimport.c"
        },
        "id": "CVE-2018-20762-14b2b16b",
        "deprecated": false,
        "digest": {
            "function_hash": "266421301009955877927061290868667144890",
            "length": 1053.0
        },
        "signature_type": "Function",
        "signature_version": "v1"
    },
    {
        "source": "https://github.com/gpac/gpac/commit/35ab4475a7df9b2a4bcab235e379c0c3ec543658",
        "target": {
            "function": "FFD_CanHandleURL",
            "file": "modules/ffmpeg_in/ffmpeg_demux.c"
        },
        "id": "CVE-2018-20762-505a0d40",
        "deprecated": false,
        "digest": {
            "function_hash": "31876490769685354517523917252215192740",
            "length": 3932.0
        },
        "signature_type": "Function",
        "signature_version": "v1"
    },
    {
        "source": "https://github.com/gpac/gpac/commit/35ab4475a7df9b2a4bcab235e379c0c3ec543658",
        "target": {
            "file": "src/scene_manager/scene_manager.c"
        },
        "id": "CVE-2018-20762-54c53b98",
        "deprecated": false,
        "digest": {
            "line_hashes": [
                "237493653535479184836953215138021360478",
                "217388982713414624001209062315649745598",
                "65188003659595125205447103578125040304",
                "109465885220917882838931629268924162384"
            ],
            "threshold": 0.9
        },
        "signature_type": "Line",
        "signature_version": "v1"
    },
    {
        "source": "https://github.com/gpac/gpac/commit/35ab4475a7df9b2a4bcab235e379c0c3ec543658",
        "target": {
            "file": "modules/ffmpeg_in/ffmpeg_demux.c"
        },
        "id": "CVE-2018-20762-63a908da",
        "deprecated": false,
        "digest": {
            "line_hashes": [
                "264523157031263892128146363725756387325",
                "118933627905992146657929152694320074049",
                "257273306596703326577925339315019268129",
                "274920654055756748976150798775296607179",
                "209204931148955835024964255547571251171",
                "56274645375521377663122475273814332602",
                "136614371259472427414654230086662085041",
                "150871314073043715570726590539299614118",
                "291079280856334805031023588734060282809",
                "84500922091286306009044906419371090872",
                "227309841688554781594845013960716014333"
            ],
            "threshold": 0.9
        },
        "signature_type": "Line",
        "signature_version": "v1"
    },
    {
        "source": "https://github.com/gpac/gpac/commit/35ab4475a7df9b2a4bcab235e379c0c3ec543658",
        "target": {
            "function": "GPAC_EventProc",
            "file": "applications/mp4client/main.c"
        },
        "id": "CVE-2018-20762-86f3cc7d",
        "deprecated": false,
        "digest": {
            "function_hash": "163118974547433479099396815109657039820",
            "length": 10418.0
        },
        "signature_type": "Function",
        "signature_version": "v1"
    },
    {
        "source": "https://github.com/gpac/gpac/commit/35ab4475a7df9b2a4bcab235e379c0c3ec543658",
        "target": {
            "function": "mp4client_main",
            "file": "applications/mp4client/main.c"
        },
        "id": "CVE-2018-20762-8fab7fc4",
        "deprecated": false,
        "digest": {
            "function_hash": "237442712216280146270324140443867544129",
            "length": 29995.0
        },
        "signature_type": "Function",
        "signature_version": "v1"
    },
    {
        "source": "https://github.com/gpac/gpac/commit/35ab4475a7df9b2a4bcab235e379c0c3ec543658",
        "target": {
            "function": "set_cfg_option",
            "file": "applications/mp4client/main.c"
        },
        "id": "CVE-2018-20762-a5600968",
        "deprecated": false,
        "digest": {
            "function_hash": "165754116954605594476599722340014993865",
            "length": 936.0
        },
        "signature_type": "Function",
        "signature_version": "v1"
    },
    {
        "source": "https://github.com/gpac/gpac/commit/35ab4475a7df9b2a4bcab235e379c0c3ec543658",
        "target": {
            "file": "applications/mp4box/fileimport.c"
        },
        "id": "CVE-2018-20762-c6d45474",
        "deprecated": false,
        "digest": {
            "line_hashes": [
                "30739628822414551627383190559771524873",
                "25724999979887296492779751561194023031",
                "105175159957466592163691017413067280625",
                "148799604309504246911057992718970920910",
                "295951348819635724122242006273612480248",
                "309872636870750701225570848504326574689",
                "236858418898194591029271085083340849412",
                "307538305822837846156040367940415744092",
                "284312735582319307094798885990206965073",
                "321035248002051127603397109875145888386",
                "20579560730579201526093260620830775434",
                "125582650234243198115040091927257429008",
                "58697057854487651962318453038124536209",
                "97251207196374203411827359232807357736",
                "329344419116748040050187867256612520294",
                "151482843949274259482119254579003759418",
                "124648944189169153752897372929024043821",
                "148544142094532301817996246237602613941"
            ],
            "threshold": 0.9
        },
        "signature_type": "Line",
        "signature_version": "v1"
    },
    {
        "source": "https://github.com/gpac/gpac/commit/35ab4475a7df9b2a4bcab235e379c0c3ec543658",
        "target": {
            "function": "gf_sm_load_init",
            "file": "src/scene_manager/scene_manager.c"
        },
        "id": "CVE-2018-20762-e72de6bd",
        "deprecated": false,
        "digest": {
            "function_hash": "332530591878327878357530633887625197210",
            "length": 2931.0
        },
        "signature_type": "Function",
        "signature_version": "v1"
    }
]