GPAC MP4Box Heap Use-After-Free Vulnerability in Dasher Module Causes Denial-of-Service

A heap use-after-free vulnerability has been identified in the GPAC Project's MP4Box, specifically in versions prior to 26.02.0. The issue arises in the dasher_process function within the dasher.c file. When the software processes crafted MPEG-2 Transport Stream files that contain corrupted Program Map Table descriptors and repeated sync marker violations, the dasher module improperly manages PID context memory. This mismanagement leads to a use-after-free condition, where a freed pointer is accessed again, causing a heap memory corruption that can crash the application and potentially allow arbitrary code execution.

Impact

Exploitation of this vulnerability leads to a process crash, causing a denial-of-service condition. However, given the nature of use-after-free vulnerabilities, there is a possibility of arbitrary code execution.

Reproduction

The vulnerability can be reproduced by using the MP4Box command-line tool with the '-dash 100' option, followed by a crafted MPEG-2 Transport Stream file that includes the necessary conditions to trigger the use-after-free error. This file should be one that has missing sync markers, corrupted PMT descriptor sizes, and conflicting PID assignments, as these factors are crucial for replicating the issue.

Remediation

Users are advised to upgrade to GPAC version 26.02.0 or later, or to apply the patch available in the GPAC GitHub repository.