GPAC NULL Pointer Dereference Vulnerability in WebVTT Metadata Export Function

A NULL pointer dereference vulnerability exists in GPAC versions through 2.4.0, specifically in the 'gf_media_export_webvtt_metadata' function within 'src/media_tools/media_export.c'. The vulnerability arises when the function processes a crafted MP4 file containing a track whose handler box (hdlr) lacks a name field. In this scenario, the handler pointer ('nameUTF8') is NULL and is directly passed to 'gf_fprintf()' with the '%s' format specifier, leading to undefined behavior. This vulnerability must be exploited locally, and a public exploit is available.

Impact

Exploitation of this vulnerability causes a NULL pointer dereference, which on most systems will lead to a crash. However, on Linux systems using glibc, the output will incorrectly display '(null)' without causing a crash, due to a non-standard extension that gracefully handles NULL values. This behavior is not portable and will result in a crash on Windows and other platforms.

Reproduction

To reproduce this vulnerability, first generate a malicious MP4 file that includes a track with a handler box that does not have a name field. This can be done using a Python script that creates such a file. Once the file is created, the vulnerability can be triggered by using GPAC's MP4Box tool with the '-webvtt-raw' option, specifying the track that corresponds to the handler without a name. The output will show the incorrect handling of the NULL pointer, confirming the vulnerability.

Remediation

Users are advised to update to GPAC version 2.4.1 or later, where this vulnerability has been fixed.