Primary

Context

GPAC MP4Box Buffer Overflow Vulnerability in VVC PPS Parsing Function

Vulnerability

A buffer overflow vulnerability has been identified in GPAC MP4Box version 2.1-DEV-rev574-g9d5bb184b. The issue arises in the 'gf_vvc_read_pps_bs_internal' function within 'media_tools/av_parsers.c', where improper validation of the 'num_exp_tile_columns' parameter can lead to memory corruption.

Impact

Exploitation of this vulnerability causes a buffer overflow, which can lead to memory corruption. According to the GitHub issue, this vulnerability could potentially be exploited to execute arbitrary code.

Reproduction

The vulnerability can be reproduced by compiling GPAC MP4Box with the sanitizer enabled, using the 'import' command to add a specially crafted MP4 file that triggers the buffer overflow during the VVC PPS parsing process. The sanitizer will report a runtime error indicating an out-of-bounds access, which is a clear sign of the buffer overflow.

Remediation

Users can update to GPAC version 2.4.0 or later, where this vulnerability has been fixed.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

10.0

exploitability

6.0

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

0.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

10.0

exploitability

6.0

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

0.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

GPAC MP4Box Buffer Overflow Vulnerability in VVC PPS Parsing Function

Vulnerability

Impact

Reproduction

Remediation

Affected Products

GPAC MP4Box

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating