GPAC Project MP4Box NULL Pointer Dereference Vulnerability in DASH Processing

A NULL pointer dereference vulnerability has been identified in the GPAC Project's MP4Box, specifically in versions prior to 26.02.0. The issue arises in the 'gf_filter_pid_resolve_file_template_ex' function within 'filter_core/filter_pid.c'. When the software processes MP4 files containing specially crafted metadata with long URLs or HTML-like special characters, the function attempts to perform a string comparison using 'strncmp()'. This operation is conducted without ensuring that the pointer is valid, leading to a segmentation fault and causing a crash. The vulnerability can be exploited during DASH segmentation by supplying a crafted file, resulting in a denial-of-service condition.

Impact

Exploitation of this vulnerability leads to a process crash, causing a denial-of-service condition. The NULL pointer dereference is a read access at address 0x0, which terminates the process. This issue does not allow for arbitrary code execution or control-flow hijacking.

Reproduction

The vulnerability can be reproduced by using the MP4Box command-line tool to process a crafted MP4 file with metadata that includes long URLs or special characters. This should be done with a version of MP4Box that is prior to 26.02.0 and has not applied the available fix.

Remediation

Users are advised to upgrade to GPAC version 26.02.0 or later, or to apply the patch available in commit '13eb5b76560aaf7813b865a2ad433258478e2695'.