GPAC NULL Pointer Dereference Vulnerability in DumpMovieInfo Function

A NULL pointer dereference vulnerability has been identified in GPAC versions through 2.4.0. The issue arises in the DumpMovieInfo function within applications/mp4box/filedump.c. When the software processes a crafted MP4 file that includes a chapter track with an empty text sample (text_length = 0), the txt->text pointer becomes NULL. This NULL pointer is then directly passed to fprintf() using the %s format specifier, leading to undefined behavior. The vulnerability must be exploited locally, and a public exploit is available.

Impact

Exploitation of this vulnerability causes a NULL pointer dereference, which can lead to a crash or undefined behavior. On Linux systems using glibc, the output will incorrectly display '(null)', but this non-standard extension prevents a crash. However, the same code will fail on Windows and other platforms, causing a crash instead.

Reproduction

To reproduce this vulnerability, first generate a malicious MP4 file using the provided Python script. This file should contain a chapter track with an empty text sample, which triggers the NULL pointer dereference when the DumpMovieInfo function is called. After creating the PoC file, use MP4Box to extract information from the file. The output will confirm the vulnerability by showing '(null)' where the text sample should be.

Remediation

Users are advised to update to the latest version of GPAC, as a patch for this vulnerability has been released. The patch is included in GPAC version 2.4.0.