GPAC Buffer Overflow Vulnerability in TeXML File Parser

A stack-based buffer overflow vulnerability has been identified in GPAC version 26.03-DEV. The issue arises in the TeXML File Parser component, specifically within the 'txtin_process_texml' function of 'src/filters/load_text.c'. The vulnerability is caused by a fixed-size stack array, 'GF_StyleRecord styles[50]', which is manipulated without proper bounds checking. This flaw allows a crafted TeXML file containing more than 50 '<sharedStyles>' blocks to overflow the stack. A similar issue exists with the 'Marker marks[50]' array, indicating a broader problem with stack management in this function. The vulnerability can be exploited locally, leading to potential code execution.

Impact

Exploitation of this vulnerability causes a stack-based buffer overflow, which can disrupt normal program operation and potentially allow for arbitrary code execution.

Reproduction

The vulnerability can be reproduced by saving a crafted TeXML file with more than 50 '<sharedStyles>' blocks and then using MP4Box to add this file to a new MP4 container. The 'txtin_process_texml' function will process the file, leading to a buffer overflow.

Remediation

Users are advised to update to the latest version of GPAC, where this vulnerability has been fixed.