GPAC NULL Pointer Dereference Vulnerability in RTP Hint Track Processing

A NULL pointer dereference vulnerability has been identified in GPAC versions through 2.4.0. The issue arises in the 'dump_isom_rtp' function within 'applications/mp4box/filedump.c'. When the application processes a crafted MP4 file that contains a hint track without associated SDP information, the 'sdp' pointer can remain NULL. This NULL pointer is then passed directly to 'fprintf()' using the '%s' format specifier, leading to undefined behavior. The vulnerability requires local exploitation, as the user must open a malicious file. Although the issue does not cause a crash on Linux/glibc systems, it disrupts normal output by printing '(null)', which is a non-portable extension of glibc. However, this vulnerability will cause a crash on Windows and other platforms.

Impact

Exploitation of this vulnerability leads to a NULL pointer dereference, causing a crash or exit of the application on most platforms, except for Linux with glibc, where it disrupts output without causing a crash.

Reproduction

To reproduce this vulnerability, first generate a crafted MP4 file that includes a hint track without SDP information. This can be done using a Python script that creates an MP4 file with the necessary characteristics. Once the file is prepared, use MP4Box to process the file with the '-drtp' option. The output will include '(null)' where the SDP information is expected, confirming the NULL pointer dereference.

Remediation

Users are advised to update to GPAC version 2.4.1 or later, where this vulnerability has been fixed.