CVE-2019-20628

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2019-20628
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-20628.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2019-20628
Downstream
Published
2020-03-24T19:15:20Z
Modified
2025-10-14T16:58:48.794586Z
Severity
  • 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVSS Calculator
Summary
[none]
Details

An issue was discovered in libgpac.a in GPAC before 0.8.0, as demonstrated by MP4Box. It contains a Use-After-Free vulnerability in gfm2tsprocesspmt in mediatools/mpegts.c that can cause a denial of service via a crafted MP4 file.

References

Affected packages

Git / github.com/gpac/gpac

Affected ranges

Type
GIT
Repo
https://github.com/gpac/gpac
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
1ab4860609f2e7a35634930571e7d0531297e090
Fixed
98b727637e32d1d4824101d8947e2dbd573d4fc8

Affected versions

v0.*

v0.5.2
v0.6.0
v0.6.1
v0.7.0
v0.7.1
v0.8.0

Database specific 

{
    "vanir_signatures": [
        {
            "signature_version": "v1",
            "target": {
                "file": "src/media_tools/mpegts.c"
            },
            "signature_type": "Line",
            "source": "https://github.com/gpac/gpac/commit/1ab4860609f2e7a35634930571e7d0531297e090",
            "deprecated": false,
            "digest": {
                "line_hashes": [
                    "119373215220266814155862783695884915755",
                    "160815260908940343406261643395088919732",
                    "144479058489695988924487422918990700335",
                    "279915503899964487124964736369828704784",
                    "314003712436004261629644486703339659723",
                    "25215980662181492641651708525269014682",
                    "209606584805963128599457437151058336299",
                    "74052400548209328731711756175786501918",
                    "119730882731057139552713333680099632794",
                    "266016201252775468633491569535813497184",
                    "63000146090874992851417898116936339580",
                    "113317852001645032477968268686908535838",
                    "312003032799094112922801301182157311821",
                    "326354901076355971873288704935948688613",
                    "19924341711483973471876240021155504678",
                    "43728446928011602045002302582941866376",
                    "211209783633356644266377190063189510007",
                    "26625414007268669380281060674663768502",
                    "210855090187782480286711668667853091751"
                ],
                "threshold": 0.9
            },
            "id": "CVE-2019-20628-09117ddd"
        },
        {
            "signature_version": "v1",
            "target": {
                "function": "gf_m2ts_process_pmt",
                "file": "src/media_tools/mpegts.c"
            },
            "signature_type": "Function",
            "source": "https://github.com/gpac/gpac/commit/1ab4860609f2e7a35634930571e7d0531297e090",
            "deprecated": false,
            "digest": {
                "length": 13860.0,
                "function_hash": "87248885212904622232649285113601413920"
            },
            "id": "CVE-2019-20628-c5f4c8cf"
        }
    ]
}