CVE-2022-47090

GPAC MP4box 2.1-DEV-rev574-g9d5bb184b contains a buffer overflow in gfvvcreadppsbsinternal function of mediatools/avparsers.c, check needed for numexptilecolumns

References

Affected packages

Git / github.com/gpac/gpac

Affected ranges

Type: GIT
Repo: https://github.com/gpac/gpac
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

48760768611f6766bf9e7378bb7cc66cebd6e49d

Affected versions

v0.*

v0.5.2

v0.6.0

v0.6.1

v0.7.0

v0.7.1

v0.8.0

v0.9.0

v0.9.0-preview

v1.*

v1.0.0

v1.0.1

v2.*

v2.0.0

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-47090.json"

vanir_signatures

[
    {
        "signature_type": "Line",
        "signature_version": "v1",
        "source": "https://github.com/gpac/gpac/commit/48760768611f6766bf9e7378bb7cc66cebd6e49d",
        "digest": {
            "line_hashes": [
                "205209458812386853287423321730706039629",
                "283842925901255651038014883729249748502",
                "119750241985182591880100035652884518750",
                "249173118097177807258314029870084205322",
                "145169747838016420967307705714809152012",
                "17678980392922620157855712049400787652",
                "298981180365317512869892842504849017620",
                "76656828522272514685842700247074708712",
                "322674210456313726550982336582109607433",
                "328885615478932769306837559688088515473",
                "188547454502341615709831812951291639810",
                "279095389721625900102977766734825829708",
                "228746153867877852956155136832942321446",
                "329769442877559556611307647141321953070",
                "243954140227521645296268521307161715640",
                "57974578731255535348878017228351961357",
                "107812210113521606122792993561365764836",
                "224837128817339056742644030688043759223",
                "28415693334215349416190352426534119281",
                "296333176005024444959529186010178449570",
                "74876339551563488313306685286738398802",
                "251510676883842765728152705936873672899",
                "281229880928935923103119675007558539856",
                "153744100990202565898655088326250806832",
                "129336266987800426731230548423736001681",
                "83022577908808554805076911886680626450",
                "75060847933832581785216824895215528632",
                "164983488199366312494739074465961779520",
                "20039334582733489845696644564879128577",
                "221155674425475002333071391877791012516",
                "125233794203003531721734494994708824431",
                "111088692452168871356026409075927580884",
                "28204333431810818060280925250875245743",
                "273896969273243665505630651444602891170",
                "13711166146158558160664229371431732128"
            ],
            "threshold": 0.9
        },
        "id": "CVE-2022-47090-124dbdf0",
        "deprecated": false,
        "target": {
            "file": "src/media_tools/av_parsers.c"
        }
    },
    {
        "signature_type": "Line",
        "signature_version": "v1",
        "source": "https://github.com/gpac/gpac/commit/48760768611f6766bf9e7378bb7cc66cebd6e49d",
        "digest": {
            "line_hashes": [
                "96071949862397183840061149148711297212",
                "318580497121197462373685047158736131940",
                "104293381729214981031340158303783530447",
                "42161297080934316694561740653750865605",
                "32423565209999813888984125196922238314",
                "277252751256773839106274423853941105145",
                "177649780436661873186378779791972495782",
                "87457855893211095898976782697811200436",
                "271393681686466991765481854149441463432",
                "291869085989057971998782664238448063623",
                "283960316373127838310434272826434264951",
                "110168409891027145125484521302180438624",
                "332804156662481109427587395674058886673",
                "196057315097150864096171074305999168986",
                "43997827086932850920757970056345801535",
                "87165258556356256108888645208400235916",
                "113280187794616323198828273921942922162",
                "217879654717393563195353541726202879219",
                "115649102525993532045248576010565840759",
                "256584152456612790210969595626843445836",
                "9137569471773682973684105697194852775",
                "92295091909584830493727438899044783717",
                "83086903934280031691821906947382080038",
                "49846852191373665480083085087342891958",
                "338906667619663477482381201342791604547",
                "128457975258460512713871355108825639291",
                "25088696614288469407895734397655756731",
                "59434041739301485784372445577503675536",
                "209714490067857263522236258976403941283",
                "165878685771085962425725540344852052590",
                "128414171240251794177296279088061733748",
                "36316392981092179572660706497667942995",
                "88043512317473275336884332579642680877",
                "196057315097150864096171074305999168986",
                "43997827086932850920757970056345801535",
                "87165258556356256108888645208400235916",
                "169432363214486187268745832769874227344",
                "190456298135387678038642757580156882457",
                "115649102525993532045248576010565840759",
                "256584152456612790210969595626843445836",
                "9137569471773682973684105697194852775",
                "107532391141670904783165217610605953264",
                "313637298857287612438911363738637421945",
                "60402971881160126086240620705137226767",
                "13552015904960181699515604159429313485",
                "269039415874274483728319823337301009930",
                "226720462349373536152640104696944103189",
                "70724719849622876252369936278930316630",
                "204636774618066027572654205596996281564",
                "312620174353653003242865189682750078771",
                "1999507374277784094792014986210075752",
                "77126822460060160868633215974923676011",
                "206845374057353456109194533249815252564",
                "308444527540163286080981913092746907225",
                "123940570758430844552109263375568977558",
                "288488291313138768601066425219521582830",
                "102462049936954247047826355526185762854",
                "264403209169700516106663167963987013596",
                "67658967645960681751821641472277070500",
                "101513277398978384344834398236057621957",
                "282535290391298460348636694394595300063",
                "81972568559392482805497231245834499617",
                "30181345067630880270526562072574952781",
                "314516624984129739714331346660467845624",
                "149312512928866397311697141482796945527",
                "162426562151165784007944744072359641320",
                "141392573072803819448121911246468523786"
            ],
            "threshold": 0.9
        },
        "id": "CVE-2022-47090-1bd45b9a",
        "deprecated": false,
        "target": {
            "file": "src/filters/reframe_nalu.c"
        }
    },
    {
        "signature_type": "Function",
        "signature_version": "v1",
        "source": "https://github.com/gpac/gpac/commit/48760768611f6766bf9e7378bb7cc66cebd6e49d",
        "digest": {
            "function_hash": "196346292254685270069565389086108819905",
            "length": 6295.0
        },
        "id": "CVE-2022-47090-1ef13c96",
        "deprecated": false,
        "target": {
            "file": "src/filters/reframe_nalu.c",
            "function": "naludmx_check_pid"
        }
    },
    {
        "signature_type": "Function",
        "signature_version": "v1",
        "source": "https://github.com/gpac/gpac/commit/48760768611f6766bf9e7378bb7cc66cebd6e49d",
        "digest": {
            "function_hash": "60419063003199191726838070568378404507",
            "length": 5303.0
        },
        "id": "CVE-2022-47090-598b0f62",
        "deprecated": false,
        "target": {
            "file": "src/filters/reframe_nalu.c",
            "function": "naludmx_create_hevc_decoder_config"
        }
    },
    {
        "signature_type": "Function",
        "signature_version": "v1",
        "source": "https://github.com/gpac/gpac/commit/48760768611f6766bf9e7378bb7cc66cebd6e49d",
        "digest": {
            "function_hash": "282602502051226317528355739273576782141",
            "length": 5362.0
        },
        "id": "CVE-2022-47090-5eca42bf",
        "deprecated": false,
        "target": {
            "file": "src/filters/reframe_nalu.c",
            "function": "naludmx_create_vvc_decoder_config"
        }
    },
    {
        "signature_type": "Function",
        "signature_version": "v1",
        "source": "https://github.com/gpac/gpac/commit/48760768611f6766bf9e7378bb7cc66cebd6e49d",
        "digest": {
            "function_hash": "54051840382090665012279100390031030963",
            "length": 4889.0
        },
        "id": "CVE-2022-47090-70a2de94",
        "deprecated": false,
        "target": {
            "file": "src/filters/reframe_nalu.c",
            "function": "naludmx_create_avc_decoder_config"
        }
    },
    {
        "signature_type": "Function",
        "signature_version": "v1",
        "source": "https://github.com/gpac/gpac/commit/48760768611f6766bf9e7378bb7cc66cebd6e49d",
        "digest": {
            "function_hash": "187892300278696992071000075496628048873",
            "length": 9258.0
        },
        "id": "CVE-2022-47090-e5f2c26f",
        "deprecated": false,
        "target": {
            "file": "src/media_tools/av_parsers.c",
            "function": "gf_vvc_read_pps_bs_internal"
        }
    },
    {
        "signature_type": "Line",
        "signature_version": "v1",
        "source": "https://github.com/gpac/gpac/commit/48760768611f6766bf9e7378bb7cc66cebd6e49d",
        "digest": {
            "line_hashes": [
                "9598856946840000043357287569005012389",
                "141463780591152997642512241595332271043",
                "268336417426805060081828907197226815546",
                "296599562676330051517447606396841409969",
                "107367841899169065754041093112658862510",
                "20107194874740464870186419265844404251",
                "182971361688358743674011316645839448862",
                "158909592336990539578065677634650914221"
            ],
            "threshold": 0.9
        },
        "id": "CVE-2022-47090-f025825e",
        "deprecated": false,
        "target": {
            "file": "include/gpac/internal/media_dev.h"
        }
    }
]