GPAC MP4Box Heap-Based Buffer Overflow Vulnerability in XML Bit Sequence Parsing

A heap-based buffer overflow vulnerability has been identified in GPAC MP4Box, prior to commit 86b0e36. The issue arises in the 'gf_xml_parse_bit_sequence_bs' function within 'utils/xml_bin_custom.c', when the application processes a specially crafted NHML file containing malicious '<BS>' (BitSequence) elements. This vulnerability allows an attacker to cause an out-of-bounds write on the heap by manipulating the 'bits' attribute, leading to potential arbitrary code execution.

Impact

Exploitation of this vulnerability causes the application to crash. However, being a heap-based write overflow, it could also be exploited for arbitrary code execution, depending on the heap layout and allocator behavior.

Reproduction

To reproduce this vulnerability, build GPAC with AddressSanitizer and Undefined Behavior Sanitizer enabled. Then, run MP4Box with a crafted NHML file that exploits the buffer overflow vulnerability. The expected result is a report from UBSan about a shift exponent overflow, followed by ASan indicating a heap-buffer-overflow write error.

Remediation

Users are advised to update to GPAC version 86b0e36 or later, where this vulnerability has been patched.