GPAC Memory Exhaustion Vulnerability in SIDX Box Processing

A memory exhaustion vulnerability has been identified in GPAC versions through 26.02.0. The issue arises in the SIDX box reading function within the file 'src/isomedia/box_code_base.c'. The vulnerability allows for unchecked memory allocation based on the number of references declared in the SIDX box, leading to excessive memory usage. This issue must be exploited locally and has been publicly disclosed.

Impact

Exploitation of this vulnerability causes a significant increase in memory usage, approximately 1.5 MB per invocation of the vulnerable function, due to unbounded allocation based on attacker-controlled input. This memory amplification can lead to denial-of-service conditions, particularly in environments with limited resources, such as embedded systems or automated media processing pipelines.

Reproduction

The vulnerability can be reproduced by creating a crafted MP4 file that includes a SIDX box with the 'nb_refs' field set to its maximum value (65535) but without any actual reference data. This file can then be processed with the GPAC tool 'MP4Box', which will trigger the vulnerability by reading the SIDX box and causing excessive memory allocation.

Remediation

Users are advised to update to GPAC version 26.03 or later, where this vulnerability has been fixed.