CVE-2021-21843

Multiple exploitable integer overflow vulnerabilities exist within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1. A specially crafted MPEG-4 input can cause an integer overflow due to unchecked arithmetic resulting in a heap-based buffer overflow that causes memory corruption. After validating the number of ranges, at [41] the library will multiply the count by the size of the GF_SubsegmentRangeInfo structure. On a 32-bit platform, this multiplication can result in an integer overflow causing the space of the array being allocated to be less than expected. An attacker can convince a user to open a video to trigger this vulnerability.

References

Affected packages

Git / github.com/gpac/gpac

Affected ranges

Type

GIT

Repo

https://github.com/gpac/gpac

Events

Introduced

Last affected

d8538e8ae946b32d99c6b2c57cbb327146e9cd9d

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "1.0.1"
        }
    ]
}

Affected versions

v0.*

v0.5.2

v0.6.0

v0.6.1

v0.7.0

v0.7.1

v0.8.0

v0.9.0

v0.9.0-preview

v1.*

v1.0.0

v1.0.1

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-21843.json"

unresolved_ranges

[
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "10.0"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "11.0"
            }
        ]
    }
]