ID CVE-2021-21855 Type cve Reporter talos-cna@cisco.com Modified 2022-04-28T17:15:00
Description
Multiple exploitable integer overflow vulnerabilities exist within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1. A specially crafted MPEG-4 input can cause an integer overflow due to unchecked addition arithmetic resulting in a heap-based buffer overflow that causes memory corruption. An attacker can convince a user to open a video to trigger this vulnerability.
{"id": "CVE-2021-21855", "vendorId": null, "type": "cve", "bulletinFamily": "NVD", "title": "CVE-2021-21855", "description": "Multiple exploitable integer overflow vulnerabilities exist within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1. A specially crafted MPEG-4 input can cause an integer overflow due to unchecked addition arithmetic resulting in a heap-based buffer overflow that causes memory corruption. An attacker can convince a user to open a video to trigger this vulnerability.", "published": "2021-08-18T13:15:00", "modified": "2022-04-28T17:15:00", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "accessVector": "NETWORK", "accessComplexity": "MEDIUM", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "baseScore": 6.8}, "severity": "MEDIUM", "exploitabilityScore": 8.6, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-21855", "reporter": "talos-cna@cisco.com", "references": ["https://talosintelligence.com/vulnerability_reports/TALOS-2021-1299", "https://www.debian.org/security/2021/dsa-4966"], "cvelist": ["CVE-2021-21855"], "immutableFields": [], "lastseen": "2022-04-28T19:31:10", "viewCount": 24, "enchantments": {"dependencies": {"references": [{"type": "debian", "idList": ["DEBIAN:DSA-4966-1:64041"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2021-21855"]}, {"type": "nessus", "idList": ["DEBIAN_DSA-4966.NASL"]}, {"type": "talos", "idList": ["TALOS-2021-1299"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2021-21855"]}], "rev": 4}, "score": {"value": 5.4, "vector": "NONE"}, "twitter": {"counter": 2, "modified": "2021-08-19T11:28:31", "tweets": [{"link": "https://twitter.com/threatintelctr/status/1430251186796515328", "text": " NEW: CVE-2021-21855 Multiple exploitable integer overflow vulnerabilities exist within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1. A specially crafted MPEG-4 input ... (click for more) Severity: HIGH https://t.co/elzWzUwLLM?amp=1"}, {"link": "https://twitter.com/threatintelctr/status/1430251186796515328", "text": " NEW: CVE-2021-21855 Multiple exploitable integer overflow vulnerabilities exist within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1. A specially crafted MPEG-4 input ... (click for more) Severity: HIGH https://t.co/elzWzUwLLM?amp=1"}]}, "backreferences": {"references": [{"type": "debian", "idList": ["DEBIAN:DSA-4966-1:64041"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2021-21855"]}, {"type": "nessus", "idList": ["DEBIAN_DSA-4966.NASL"]}, {"type": "talos", "idList": ["TALOS-2021-1299"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2021-21855"]}]}, "exploitation": null, "vulnersScore": 5.4}, "_state": {"dependencies": 0}, "_internal": {}, "cna_cvss": {"cna": "Talos", "cvss": {"3": {"vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "score": 8.8}}}, "cpe": ["cpe:/a:gpac:gpac:1.0.1", "cpe:/o:debian:debian_linux:11.0"], "cpe23": ["cpe:2.3:a:gpac:gpac:1.0.1:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*"], "cwe": ["CWE-190"], "affectedSoftware": [{"cpeName": "gpac:gpac", "version": "1.0.1", "operator": "eq", "name": "gpac"}, {"cpeName": "debian:debian_linux", "version": "11.0", "operator": "eq", "name": "debian debian linux"}], "affectedConfiguration": [], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"operator": "OR", "children": [], "cpe_match": [{"vulnerable": true, "cpe23Uri": "cpe:2.3:a:gpac:gpac:1.0.1:*:*:*:*:*:*:*", "cpe_name": []}]}, {"operator": "OR", "children": [], "cpe_match": [{"vulnerable": true, "cpe23Uri": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*", "cpe_name": []}]}]}, "extraReferences": [{"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2021-1299", "name": "https://talosintelligence.com/vulnerability_reports/TALOS-2021-1299", "refsource": "MISC", "tags": ["Exploit", "Technical Description", "Third Party Advisory"]}, {"url": "https://www.debian.org/security/2021/dsa-4966", "name": "DSA-4966", "refsource": "DEBIAN", "tags": ["Third Party Advisory"]}]}
{"veracode": [{"lastseen": "2022-05-12T00:24:54", "description": "gpac is vulnerable to denial of service. An attacker is able to crash the system by getting a user to open a malicious video. \n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-09-02T18:40:17", "type": "veracode", "title": "Denial Of Service", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21855"], "modified": "2022-04-28T19:12:04", "id": "VERACODE:31929", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-31929/summary", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "ubuntucve": [{"lastseen": "2022-01-21T20:18:20", "description": "Multiple exploitable integer overflow vulnerabilities exist within the\nMPEG-4 decoding functionality of the GPAC Project on Advanced Content\nlibrary v1.0.1. A specially crafted MPEG-4 input can cause an integer\noverflow due to unchecked addition arithmetic resulting in a heap-based\nbuffer overflow that causes memory corruption. An attacker can convince a\nuser to open a video to trigger this vulnerability.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-18T00:00:00", "type": "ubuntucve", "title": "CVE-2021-21855", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21855"], "modified": "2021-08-18T00:00:00", "id": "UB:CVE-2021-21855", "href": "https://ubuntu.com/security/CVE-2021-21855", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "debiancve": [{"lastseen": "2022-03-03T07:32:40", "description": "Multiple exploitable integer overflow vulnerabilities exist within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1. A specially crafted MPEG-4 input can cause an integer overflow due to unchecked addition arithmetic resulting in a heap-based buffer overflow that causes memory corruption. An attacker can convince a user to open a video to trigger this vulnerability.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-18T13:15:00", "type": "debiancve", "title": "CVE-2021-21855", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21855"], "modified": "2021-08-18T13:15:00", "id": "DEBIANCVE:CVE-2021-21855", "href": "https://security-tracker.debian.org/tracker/CVE-2021-21855", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "talos": [{"lastseen": "2022-01-26T11:41:46", "description": "### Summary\n\nMultiple exploitable integer overflow vulnerabilities exist within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1. A specially crafted MPEG-4 input can cause an integer overflow due to unchecked addition arithmetic resulting in a heap-based buffer overflow that causes memory corruption. An attacker can convince a user to open a video to trigger this vulnerability.\n\n### Tested Versions\n\nGPAC Project Advanced Content commit a8a8d412dabcb129e695c3e7d861fcc81f608304 \nGPAC Project Advanced Content v1.0.1\n\n### Product URLs\n\n<https://gpac.wp.mines-telecom.fr>\n\n### CVSSv3 Score\n\n8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\n\n### CWE\n\nCWE-680 - Integer Overflow to Buffer Overflow\n\n### Details\n\nThe GPAC Project on Advanced Content is an open-source cross-platform library that implements the MPEG-4 Systems Standard, and provides tools for media playback, vector graphics, and 3d rendering. It supports a variety of multimedia standards and is thus used by a number of industrial users. The project also comes with the MP4Box tool which allows one to encode or decode media containers in a number of supported formats.\n\nWhen the GPAC library is used to open up an MPEG-4 container, they library will proceed to read each particular atom from the container whilst noting the atom\u2019s \u201ctype\u201d which is referred to as a FOURCC. This \u201ctype\u201d is then used to distinguish which particular parser will be used to parse the contents of an atom. During the parsing of the various atom types inside the MPEG-4 container, the library will read fields from the atom\u2019s contents and in some cases will use them to calculate the boundaries of the fields contained within the rest of the atom. In some of these parsers, the fields are explicitly trusted and then used to calculate the size of a heap-buffer which is then later used by the library. When the library allocates space for reading the rest of an atom, the library may miscalculate this size either due to an integer overflow, or an integer truncation which can result in an undersized heap allocation being made. Later in the atom parsing, when the library attempts to read the atom\u2019s contents into this heap buffer, a heap-based buffer overflow can be made to occur. This can result in code execution under the context of the library.\n\nThe GPAC library provides a variety of tools that the implementer may use when processing an MPEG-4 container. This would allow a user to either process the MPEG-4 container in fragments, or as a whole and complete source. When parsing a complete MPEG-4 container, a developer may use the following `gf_isom_open` function. This function is responsible for looking at the flags that it was given and chaining to the correct function in order to parse the input. At [1], the library will use the `OpenMode` flags from its parameters in order to call the `gf_isom_open_file` to process the input.\n \n \n src/isomedia/isom_read.c:500\n GF_EXPORT\n GF_ISOFile *gf_isom_open(const char *fileName, GF_ISOOpenMode OpenMode, const char *tmp_dir)\n {\n GF_ISOFile *movie;\n MP4_API_IO_Err = GF_OK;\n \n switch (OpenMode & 0xFF) {\n case GF_ISOM_OPEN_READ_DUMP:\n case GF_ISOM_OPEN_READ:\n movie = gf_isom_open_file(fileName, OpenMode, NULL); // [1] open up the given filename for reading\n break;\n ...\n default:\n return NULL;\n }\n return (GF_ISOFile *) movie;\n }\n \n\nThe following function is the implementation of the `gf_isom_open_file` function. The beginning of this function is responsible for opening up a media source by the library. After the library allocates the necessary data structures for supporting the parsing of a container, a call to the `gf_isom_parse_movie_boxes` function at [2] will be made. As noted in the comment, this is where the actual parsing of the contents of the input will occur. The MPEG-4 container format is based on a type-length-value format in order to define each structure\u2019s boundaries. These type-length-value structures are commonly referred to as \u201catoms\u201d or \u201cboxes\u201d. These \u201catoms\u201d may be recursively defined within the given container.\n \n \n src/isomedia/isom_intern.c:809\n GF_ISOFile *gf_isom_open_file(const char *fileName, GF_ISOOpenMode OpenMode, const char *tmp_dir)\n {\n GF_Err e;\n u64 bytes;\n GF_ISOFile *mov = gf_isom_new_movie();\n if (!mov || !fileName) return NULL;\n \n mov->fileName = gf_strdup(fileName);\n mov->openMode = OpenMode;\n ...\n if ( (OpenMode == GF_ISOM_OPEN_READ) || (OpenMode == GF_ISOM_OPEN_READ_DUMP) || (OpenMode == GF_ISOM_OPEN_READ_EDIT) ) {\n if (OpenMode == GF_ISOM_OPEN_READ_EDIT) {\n mov->openMode = GF_ISOM_OPEN_READ_EDIT;\n \n // create a memory edit map in case we add samples, typically during import\n e = gf_isom_datamap_new(NULL, tmp_dir, GF_ISOM_DATA_MAP_WRITE, & mov->editFileMap);\n if (e) {\n gf_isom_set_last_error(NULL, e);\n gf_isom_delete_movie(mov);\n return NULL;\n }\n } else {\n mov->openMode = GF_ISOM_OPEN_READ;\n }\n ...\n }\n \n //OK, let's parse the movie...\n mov->LastError = gf_isom_parse_movie_boxes(mov, NULL, &bytes, 0); // [2] parse each of the boxes within the file\n \n\nThe `gf_isom_parse_movie_boxes` function is simply a wrapper that will lock the input that is being parsed and then call into the actual parser. After performing the necessary locking around the input, the call at [3] to the `gf_isom_parse_movie_boxes_internal` function will then be called. This function will check the position that has been requested by the caller, use it to seek to the correct position in the input, and then proceed to parse the boxes associated with the container. As the MPEG-4 container format may be recursively defined, the function call at [4] to the `gf_isom_parse_root_box` is called to parse the root element of the movie container.\n \n \n src/isomedia/isom_intern.c:764\n GF_Err gf_isom_parse_movie_boxes(GF_ISOFile *mov, u32 *boxType, u64 *bytesMissing, Bool progressive_mode)\n {\n GF_Err e;\n GF_Blob *blob = NULL;\n ...\n e = gf_isom_parse_movie_boxes_internal(mov, boxType, bytesMissing, progressive_mode); // [3] \\ proceed to parse the movie boxies\n ...\n return e;\n }\n \\\n src/isomedia/isom_intern.c:289\n static GF_Err gf_isom_parse_movie_boxes_internal(GF_ISOFile *mov, u32 *boxType, u64 *bytesMissing, Bool progressive_mode)\n {\n GF_Box *a;\n u64 totSize, mdat_end=0;\n GF_Err e = GF_OK;\n ...\n /*while we have some data, parse our boxes*/\n while (gf_bs_available(mov->movieFileMap->bs)) {\n *bytesMissing = 0;\n ...\n e = gf_isom_parse_root_box(&a, mov->movieFileMap->bs, boxType, bytesMissing, progressive_mode); // [4] start by parsing the root box\n ...\n }\n ...\n return GF_OK;\n }\n \n\nAs prior mentioned, the atoms within an MPEG-4 container are recursively defined. The GPAC library chooses to implement its parser using a recursive algorithm. The primary function within the library\u2019s implementation is the `gf_isom_box_parse_ex` function. In the following code, the `gf_isom_parse_root_box` function is simply an entry-point to the recursive parser that lies within the implementation of the `gf_isom_box_parse_ex` function. At [5], the position of the input is set, and then the function call to `gf_isom_box_parse_ex` is used. The `gf_isom_box_parse_ex` function will start by reading the 32-bit size at [6] that is stored at the beginning of an atom\u2019s structure. Once the size has been read and checked, the next part of an atom\u2019s structure will be read. The next field in an atom is the type, or the FOURCC, which is then read into a local variable at [7]. In order to support larger atom sizes that may not fit entirely within 32-bits, the MPEG-4 standard allows for a 64-bit size. This is done by setting an atom\u2019s size to 1, at which point a 64-bit field containing the actual size will follow the FOURCC. At [8], the library will check if the size is 1 and then if so will proceed by reading the next 64-bit field from the atom, and then store it into the original size variable.\n \n \n src/isomedia/box_funcs.c:33\n GF_Err gf_isom_parse_root_box(GF_Box **outBox, GF_BitStream *bs, u32 *box_type, u64 *bytesExpected, Bool progressive_mode)\n {\n GF_Err ret;\n u64 start;\n start = gf_bs_get_position(bs);\n ret = gf_isom_box_parse_ex(outBox, bs, 0, GF_TRUE); // [5] perform the actual parsing of the root box\n ...\n return ret;\n }\n \\\n src/isomedia/box_funcs.c:91\n GF_Err gf_isom_box_parse_ex(GF_Box **outBox, GF_BitStream *bs, u32 parent_type, Bool is_root_box)\n {\n u32 type, uuid_type, hdr_size, restore_type;\n u64 size, start, comp_start, payload_start, end;\n char uuid[16];\n GF_Err e;\n GF_BitStream *uncomp_bs = NULL;\n u8 *uncomp_data = NULL;\n u32 compressed_size=0;\n GF_Box *newBox;\n Bool skip_logs = (gf_bs_get_cookie(bs) & GF_ISOM_BS_COOKIE_NO_LOGS ) ? GF_TRUE : GF_FALSE;\n Bool is_special = GF_TRUE;\n \n ...\n size = (u64) gf_bs_read_u32(bs); // [6] read the 32-bit size from the box or atom\n hdr_size = 4;\n /*fix for some boxes found in some old hinted files*/\n if ((size >= 2) && (size <= 4)) {\n size = 4;\n type = GF_ISOM_BOX_TYPE_VOID;\n } else {\n type = gf_bs_read_u32(bs); // [7] read the 32-bit type or FOURCC from the atom\n hdr_size += 4;\n ...\n }\n ...\n //handle large box\n if (size == 1) { // [8] if the size is 1, then\n if (gf_bs_available(bs) < 8) {\n return GF_ISOM_INCOMPLETE_FILE;\n }\n size = gf_bs_read_u64(bs); // [8] read the next 64-bit integer as the size\n hdr_size += 8;\n }\n \n\nContinuing through the implementation of the `gf_isom_box_parse_ex` function, the function will use the type and size that was read to parse the contents of the atom. This parsed atom will then later be appended to a linked list so that the container may be processed by the library. Within this library, an atom is stored within a structure that is of the type `GF_Box` which is then casted into the actual atom type after it has been constructed. In the following code, the `GF_Box` is first constructed at [9] using the `gf_isom_box_new_ex` function with the type and the atom\u2019s parent type as its parameters. After the `GF_Box` has been constructed, it will then be passed to the `gf_isom_full_box_read` function call at [10] in order to read a specific header if the FOURCC requires it, and then to the `gf_isom_box_read` function call at [11] to actually parse the atom.\n \n \n src/isomedia/box_funcs.c:217\n //some special boxes (references and track groups) are handled by a single generic box with an associated ref/group type\n if (parent_type && (parent_type == GF_ISOM_BOX_TYPE_TREF)) {\n ...\n } else {\n //OK, create the box based on the type\n is_special = GF_FALSE;\n newBox = gf_isom_box_new_ex(uuid_type ? uuid_type : type, parent_type, skip_logs, is_root_box); // [9] construct space for a Box (or atom)\n if (!newBox) return GF_OUT_OF_MEM;\n }\n \n ...\n newBox->size = size - hdr_size;\n \n e = gf_isom_full_box_read(newBox, bs); // [10] parse an atom's FullBox header\n if (!e) e = gf_isom_box_read(newBox, bs); // [11] parse the contents of the atom\n if (e) {\n if (gf_opts_get_bool(\"core\", \"no-check\"))\n e = GF_OK;\n }\n newBox->size = size;\n end = gf_bs_get_position(bs);\n \n ...\n return e;\n }\n \n\nIn order to determine how to construct the `GF_Box` type that is used during parsing, the current atom\u2019s type and its parent type are passed to the following function, `gf_isom_box_new_ex`. This function is responsible for looking up the atom\u2019s type inside a global array named `box_registry`, allocating the respective `GF_Box` structure, and initialize it with the necessary values prior to it being used. The global array, `box_registry` contains a list of all of the available atom types and is keyed by their FOURCC code. In order to find the index of the FOURCC for the atom being parsed, a call to the `get_box_reg_idx` function is made at [12] and given the FOURCC for the current atom along with the FOURCC of the current atom\u2019s parent. Inside the `get_box_reg_idx` function, the library will prepare to do a linear search through the global `box_registry` at [13] by first getting the total number of available FOURCC codes, and then converting the atom\u2019s parent FOURCC to a string. Afterwards these values will be used in the loop that follows in order to iterate through each defined element within the `box_registry`. At [14], the loop will then compare the FOURCC code that was passed as one of the function\u2019s parameters, and then check if the parent\u2019s FOURCC code was found within the current element. If these match the FOURCC provided in the function\u2019s parameters, then the index will be returned to the caller which will then use it at [15] to call the constructor that will allocate the real structure for the found FOURCC. Prior to returning to the caller, the `gf_isom_box_new_ex` function will update the `GF_Box` that was constructed with the registry that was used.\n \n \n src/isomedia/box_funcs.c:1630\n GF_Box *gf_isom_box_new_ex(u32 boxType, u32 parentType, Bool skip_logs, Bool is_root_box)\n {\n GF_Box *a;\n s32 idx = get_box_reg_idx(boxType, parentType, 0); // [12] figure out the index in the registry\n if (idx==0) {\n \\\n src/isomedia/box_funcs.c:1589\n static u32 get_box_reg_idx(u32 boxCode, u32 parent_type, u32 start_from)\n {\n u32 i=0, count = gf_isom_get_num_supported_boxes(); // [13] get available number of boxes\n const char *parent_name = parent_type ? gf_4cc_to_str(parent_type) : NULL; // [13] convert the parent type to a string\n \n if (!start_from) start_from = 1;\n \n for (i=start_from; i<count; i++) { // [13] enter loop\n u32 start_par_from;\n if (box_registry[i].box_4cc != boxCode) // [14] compare the FOURCC code for the current registry entry\n continue;\n \n if (!parent_type)\n return i;\n if (strstr(box_registry[i].parents_4cc, parent_name) != NULL) // [14] check that the parent's FOURCC is a valid type\n return i;\n if (strstr(box_registry[i].parents_4cc, \"*\") != NULL)\n return i;\n \n if (strstr(box_registry[i].parents_4cc, \"sample_entry\") == NULL)\n continue;\n ...\n }\n return 0;\n }\n /\n src/isomedia/box_funcs.c:1671\n a = box_registry[idx].new_fn(); // [15] construct the GF_Box structure\n \n if (a) {\n ...\n a->registry = &box_registry[idx]; // [15] assign the registry that was used\n \n if ((a->type==GF_ISOM_BOX_TYPE_COLR) && (parentType==GF_ISOM_BOX_TYPE_JP2H)) {\n ((GF_ColourInformationBox *)a)->is_jp2 = GF_TRUE;\n }\n }\n return a;\n }\n \n\nOnce the correct box structure has been constructed, then execution will then return back to the `gf_isom_box_parse_ex` function in order to actually use the `GF_Box`. At [10], the `gf_isom_full_box_read` function will be called to parse a particular category of FOURCC code. Upon entry into the `gf_isom_full_box_read` function, the library will check the `box_registry` entry for the FOURCC to see if it has a version associated with it. If so, the library will read a byte for the version and 3 bytes which maintain the flags for the currently read atom. After it has been read and the `GF_Box` structure has been updated, the library will return back to the `gf_isom_box_parse_ex` function and then pass the current `GF_Box` structure to the `gf_isom_box_read` function at [11]. This function is directly responsible for parsing the atom with the FOURCC that was previously looked up in the global `box_registry` array.\n \n \n src/isomedia/box_funcs.c:262\n newBox->size = size - hdr_size;\n \n e = gf_isom_full_box_read(newBox, bs); // [10] \\ parse an atom's FullBox header\n if (!e) e = gf_isom_box_read(newBox, bs); // [11] parse the contents of the atom\n if (e) {\n if (gf_opts_get_bool(\"core\", \"no-check\"))\n e = GF_OK;\n }\n newBox->size = size;\n end = gf_bs_get_position(bs);\n \\\n src/isomedia/box_funcs.c:1927\n static GF_Err gf_isom_full_box_read(GF_Box *ptr, GF_BitStream *bs)\n {\n if (ptr->registry->max_version_plus_one) {\n GF_FullBox *self = (GF_FullBox *) ptr;\n ISOM_DECREASE_SIZE(ptr, 4)\n self->version = gf_bs_read_u8(bs);\n self->flags = gf_bs_read_u24(bs);\n }\n return GF_OK;\n }\n \n\nIn the following code, the library will look at the `registry` field from the `GF_Box` that was passed as its parameter, and use it to access the entry that was discovered when searching the global `box_registry` array for the FOURCC code belonging to the atom read from the input. At [12], the `read_fn` field from the `box_registry` entry is dereferenced in order to continue to parse the contents of the atom that is being processed by the `gf_isom_box_parse_ex` function.\n \n \n src/isomedia/box_funcs.c:1801\n GF_Err gf_isom_box_read(GF_Box *a, GF_BitStream *bs)\n {\n if (!a) return GF_BAD_PARAM;\n if (!a->registry) {\n GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, (\"[iso file] Read invalid box type %s without registry\\n\", gf_4cc_to_str(a->type) ));\n return GF_ISOM_INVALID_FILE;\n }\n return a->registry->read_fn(a, bs); // [12] dispatch to the parser that was stored in the GF_Box registry field.\n }\n \n\n#### CVE-2021-21853 - \u201cname\u201d decoder\n\nIn order to parse an atom with the \u201cname\u201d FOURCC code, the following function will be used. This function will first take the 64-bit size and truncate it to a 32-bit integer at [16]. After storing the size, the library will then add 1 to it and use it at [17] to allocate a buffer on the heap. If the 32-bit size is set to `UINT_MAX`, this addition will cause an integer overflow resulting in a zero-sized allocation being made. Later at [18], when the library uses the 32-bit length, the library will read data from the input into the undersized buffer resulting in a large heap-based buffer overflow.\n \n \n src/isomedia/box_code_base.c:2607\n GF_Err name_box_read(GF_Box *s, GF_BitStream *bs)\n {\n u32 length;\n GF_NameBox *ptr = (GF_NameBox *)s;\n \n length = (u32) (ptr->size); // [16] clamp 64-bit size to 32-bit integer\n ptr->string = (char*)gf_malloc(sizeof(char) * (length+1)); // [17] add 1 to length resulting in an integer overflow\n if (! ptr->string) return GF_OUT_OF_MEM;\n \n gf_bs_read_data(bs, ptr->string, length); // [18] read data from input into undersized buffer\n ptr->string[length] = 0; // [18] write null byte outside bounds of zero-sized allocation\n return GF_OK;\n }\n \n\n#### Crash Information\n\nThe provided proof-of-concept sets the atom\u2019s size to 0x10000000f. The header of the \u201cname\u201d atom is 0x10 bytes in size, resulting in the 0xffffffff left for the atom\u2019s contents. Adding 1 to this length results in the 0x100000000 length being used. This is then truncated to a 32-bit integer, resulting in a zero-sized allocation being made. Afterwards, the atom\u2019s contents will read 0xffffffff bytes into the zero-sized buffer.\n \n \n =================================================================\n ==182==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf1200751 at pc 0x004dbfb7 bp 0xffdd66f8 sp 0xffdd62d8\n WRITE of size 496 at 0xf1200751 thread T0\n #0 0x4dbfb6 in __asan_memcpy (/root/harness/parser32.asan+0x4dbfb6)\n #1 0xf44431d0 in gf_bs_read_data /root/src/utils/bitstream.c:672:5\n #2 0xf503fc48 in name_box_read /root/src/isomedia/box_code_base.c:2616:2\n #3 0xf5218097 in gf_isom_box_read /root/src/isomedia/box_funcs.c:1808:9\n #4 0xf5212c28 in gf_isom_box_parse_ex /root/src/isomedia/box_funcs.c:265:14\n #5 0xf5268ced in gf_isom_parse_root_box /root/src/isomedia/box_funcs.c:38:8\n #6 0xf5268ced in gf_isom_parse_movie_boxes_internal /root/src/isomedia/isom_intern.c:318:7\n #7 0xf5267bc0 in gf_isom_parse_movie_boxes /root/src/isomedia/isom_intern.c:777:6\n #8 0xf527b3f7 in gf_isom_open_file /root/src/isomedia/isom_intern.c:897:19\n #9 0xf5294061 in gf_isom_open /root/src/isomedia/isom_read.c:509:11\n #10 0x512f6a in main /root/harness/parser.c:50:13\n #11 0xf39f5ee4 in __libc_start_main (/lib32/libc.so.6+0x1eee4)\n #12 0x4621e5 in _start (/root/harness/parser32.asan+0x4621e5)\n \n 0xf1200751 is located 0 bytes to the right of 1-byte region [0xf1200750,0xf1200751)\n allocated by thread T0 here:\n #0 0x4dcb75 in malloc (/root/harness/parser32.asan+0x4dcb75)\n #1 0xf503fbe3 in gf_malloc /root/src/utils/alloc.c:150:9\n #2 0xf503fbe3 in name_box_read /root/src/isomedia/box_code_base.c:2613:23\n #3 0xf5218097 in gf_isom_box_read /root/src/isomedia/box_funcs.c:1808:9\n #4 0xf5212c28 in gf_isom_box_parse_ex /root/src/isomedia/box_funcs.c:265:14\n #5 0xf5268ced in gf_isom_parse_root_box /root/src/isomedia/box_funcs.c:38:8\n #6 0xf5268ced in gf_isom_parse_movie_boxes_internal /root/src/isomedia/isom_intern.c:318:7\n #7 0xf5267bc0 in gf_isom_parse_movie_boxes /root/src/isomedia/isom_intern.c:777:6\n #8 0xf527b3f7 in gf_isom_open_file /root/src/isomedia/isom_intern.c:897:19\n #9 0xf5294061 in gf_isom_open /root/src/isomedia/isom_read.c:509:11\n #10 0x512f6a in main /root/harness/parser.c:50:13\n #11 0xf39f5ee4 in __libc_start_main (/lib32/libc.so.6+0x1eee4)\n \n SUMMARY: AddressSanitizer: heap-buffer-overflow (/root/harness/parser32.asan+0x4dbfb6) in __asan_memcpy\n Shadow bytes around the buggy address:\n 0x3e240090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n 0x3e2400a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n 0x3e2400b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n 0x3e2400c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n 0x3e2400d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n =>0x3e2400e0: fa fa fa fa fa fa fa fa fa fa[01]fa fa fa fd fa\n 0x3e2400f0: fa fa 00 fa fa fa 00 04 fa fa fa fa fa fa fa fa\n 0x3e240100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n 0x3e240110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n 0x3e240120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n 0x3e240130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n Shadow byte legend (one shadow byte represents 8 application bytes):\n Addressable: 00\n Partially addressable: 01 02 03 04 05 06 07 \n Heap left redzone: fa\n Freed heap region: fd\n Stack left redzone: f1\n Stack mid redzone: f2\n Stack right redzone: f3\n Stack after return: f5\n Stack use after scope: f8\n Global redzone: f9\n Global init order: f6\n Poisoned by user: f7\n Container overflow: fc\n Array cookie: ac\n Intra object redzone: bb\n ASan internal: fe\n Left alloca redzone: ca\n Right alloca redzone: cb\n Shadow gap: cc\n ==182==ABORTING\n \n\n#### CVE-2021-21854 - \u201crtp \u201c decoder\n\nWhen parsing an atom with the \u201crtp \u201c FOURCC code when its parent atom is using the \u201chnti\u201d FOURCC code, the following function will be used. This function take the 64-bit size for the atom, and then truncate it to a 32-bit integer at [19]. This size will then be used to allocate memory at [20] after adding 1 to it. When the 32-bit size is set to `UINT_MAX`, this addition will result in an integer overflow. As this length is then passed to the `gf_malloc` function, a zero-sized buffer will be allocated. Later at [21], the library will then use the 32-bit length prior to the addition of 1, and then read data from the input into the undersized buffer. This and the null termination will write outside the bounds of the undersized buffer, corrupting memory due to a buffer overflow and a relative write.\n \n \n src/isomedia/box_code_base.c:1940\n GF_Err rtp_hnti_box_read(GF_Box *s, GF_BitStream *bs)\n {\n u32 length;\n GF_RTPBox *ptr = (GF_RTPBox *)s;\n if (ptr == NULL) return GF_BAD_PARAM;\n \n ISOM_DECREASE_SIZE(ptr, 4)\n ptr->subType = gf_bs_read_u32(bs);\n \n length = (u32) (ptr->size); // [19] clamp 64-bit size to 32-bit integer\n //sdp text has no delimiter !!!\n ptr->sdpText = (char*)gf_malloc(sizeof(char) * (length+1)); // [20] add 1 to length resulting in an integer overflow\n if (!ptr->sdpText) return GF_OUT_OF_MEM;\n \n gf_bs_read_data(bs, ptr->sdpText, length); // [21] read data from input into undersized buffer\n ptr->sdpText[length] = 0; // [21] write null byte outside bounds of zero-sized allocation\n return GF_OK;\n }\n \n\n#### Crash Information\n\nThe provided proof-of-concept sets the atom\u2019s 64-bit size to 0x100000013. After reading 0x10 bytes from the atom\u2019s header, a 32-bit integer is read for the \u201csubType\u201d field. This results in a length of 0xffffffff which is added to 1 when allocating the heap buffer. Due to the integer truncation, this results in a zero-sized buffer being allocated. Afterwards, the library will proceed by reading 0xffffffff bytes from the atom into the zero-sized buffer.\n \n \n =================================================================\n ==192==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf1200751 at pc 0x004dbfb7 bp 0xffb2e828 sp 0xffb2e408\n WRITE of size 484 at 0xf1200751 thread T0\n #0 0x4dbfb6 in __asan_memcpy (/root/harness/parser32.asan+0x4dbfb6)\n #1 0xf43ff1d0 in gf_bs_read_data /root/src/utils/bitstream.c:672:5\n #2 0xf4fefb26 in rtp_hnti_box_read /root/src/isomedia/box_code_base.c:1954:2\n #3 0xf51d4097 in gf_isom_box_read /root/src/isomedia/box_funcs.c:1808:9\n #4 0xf51cec28 in gf_isom_box_parse_ex /root/src/isomedia/box_funcs.c:265:14\n #5 0xf51d5418 in gf_isom_box_array_read_ex /root/src/isomedia/box_funcs.c:1705:7\n #6 0xf4feea62 in hnti_box_read /root/src/isomedia/box_code_base.c:1859:9\n #7 0xf51d4097 in gf_isom_box_read /root/src/isomedia/box_funcs.c:1808:9\n #8 0xf51cec28 in gf_isom_box_parse_ex /root/src/isomedia/box_funcs.c:265:14\n #9 0xf5224ced in gf_isom_parse_root_box /root/src/isomedia/box_funcs.c:38:8\n #10 0xf5224ced in gf_isom_parse_movie_boxes_internal /root/src/isomedia/isom_intern.c:318:7\n #11 0xf5223bc0 in gf_isom_parse_movie_boxes /root/src/isomedia/isom_intern.c:777:6\n #12 0xf52373f7 in gf_isom_open_file /root/src/isomedia/isom_intern.c:897:19\n #13 0xf5250061 in gf_isom_open /root/src/isomedia/isom_read.c:509:11\n #14 0x512f6a in main /root/harness/parser.c:50:13\n #15 0xf39b1ee4 in __libc_start_main (/lib32/libc.so.6+0x1eee4)\n #16 0x4621e5 in _start (/root/harness/parser32.asan+0x4621e5)\n \n 0xf1200751 is located 0 bytes to the right of 1-byte region [0xf1200750,0xf1200751)\n allocated by thread T0 here:\n #0 0x4dcb75 in malloc (/root/harness/parser32.asan+0x4dcb75)\n #1 0xf4fefabe in gf_malloc /root/src/utils/alloc.c:150:9\n #2 0xf4fefabe in rtp_hnti_box_read /root/src/isomedia/box_code_base.c:1951:24\n #3 0xf51d4097 in gf_isom_box_read /root/src/isomedia/box_funcs.c:1808:9\n #4 0xf51cec28 in gf_isom_box_parse_ex /root/src/isomedia/box_funcs.c:265:14\n #5 0xf51d5418 in gf_isom_box_array_read_ex /root/src/isomedia/box_funcs.c:1705:7\n #6 0xf4feea62 in hnti_box_read /root/src/isomedia/box_code_base.c:1859:9\n #7 0xf51d4097 in gf_isom_box_read /root/src/isomedia/box_funcs.c:1808:9\n #8 0xf51cec28 in gf_isom_box_parse_ex /root/src/isomedia/box_funcs.c:265:14\n #9 0xf5224ced in gf_isom_parse_root_box /root/src/isomedia/box_funcs.c:38:8\n #10 0xf5224ced in gf_isom_parse_movie_boxes_internal /root/src/isomedia/isom_intern.c:318:7\n #11 0xf5223bc0 in gf_isom_parse_movie_boxes /root/src/isomedia/isom_intern.c:777:6\n #12 0xf52373f7 in gf_isom_open_file /root/src/isomedia/isom_intern.c:897:19\n #13 0xf5250061 in gf_isom_open /root/src/isomedia/isom_read.c:509:11\n #14 0x512f6a in main /root/harness/parser.c:50:13\n #15 0xf39b1ee4 in __libc_start_main (/lib32/libc.so.6+0x1eee4)\n \n SUMMARY: AddressSanitizer: heap-buffer-overflow (/root/harness/parser32.asan+0x4dbfb6) in __asan_memcpy\n Shadow bytes around the buggy address:\n 0x3e240090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n 0x3e2400a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n 0x3e2400b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n 0x3e2400c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n 0x3e2400d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n =>0x3e2400e0: fa fa fa fa fa fa fa fa fa fa[01]fa fa fa fd fa\n 0x3e2400f0: fa fa 00 fa fa fa 00 04 fa fa fa fa fa fa fa fa\n 0x3e240100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n 0x3e240110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n 0x3e240120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n 0x3e240130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n Shadow byte legend (one shadow byte represents 8 application bytes):\n Addressable: 00\n Partially addressable: 01 02 03 04 05 06 07 \n Heap left redzone: fa\n Freed heap region: fd\n Stack left redzone: f1\n Stack mid redzone: f2\n Stack right redzone: f3\n Stack after return: f5\n Stack use after scope: f8\n Global redzone: f9\n Global init order: f6\n Poisoned by user: f7\n Container overflow: fc\n Array cookie: ac\n Intra object redzone: bb\n ASan internal: fe\n Left alloca redzone: ca\n Right alloca redzone: cb\n Shadow gap: cc\n ==192==ABORTING\n \n\n#### CVE-2021-21855 - \u201csdp \u201c decoder\n\nThe following function is responsible for parsing atoms that use the \u201csdp \u201c FOURCC code. This function will start by clamping the 64-bit size to a 32-bit integer and assigning it to the \u201clength\u201d variable at [22]. Afterwards at [23], the library will add 1 to the length and use it to allocate space on the heap. If this \u201clength\u201d is set to `UINT_MAX`, this addition will cause an integer overflow which when passed to the `gf_malloc` function can result in a zero-sized allocation being made. Afterwards at [24], the library will use the `UINT_MAX` length to read data from the atom into the zero-sized allocation. This and the null-termination will write outside the bounds of the buffer resulting in the corruption of memory.\n \n \n src/isomedia/box_code_base.c:1886\n GF_Err sdp_box_read(GF_Box *s, GF_BitStream *bs)\n {\n u32 length;\n GF_SDPBox *ptr = (GF_SDPBox *)s;\n if (ptr == NULL) return GF_BAD_PARAM;\n \n length = (u32) (ptr->size); // [22] clamp 64-bit size to 32-bit integer\n //sdp text has no delimiter !!!\n ptr->sdpText = (char*)gf_malloc(sizeof(char) * (length+1)); // [23] add 1 to length causing an integer overflow\n if (!ptr->sdpText) return GF_OUT_OF_MEM;\n \n gf_bs_read_data(bs, ptr->sdpText, length); // [24] read data into zero-sized buffer\n ptr->sdpText[length] = 0; // [24] write null termination outside bounds of zero-sized allocation\n return GF_OK;\n }\n \n\n#### Crash Information\n\nThe provided proof-of-concept sets the atom\u2019s 64-bit length to 0x10000000f. After the atom\u2019s 0x10 byte header is subtracted, this results in the length being 0xffffffff. When the function allocates its memory, 1 is added to this value which when truncated will result in a zero-sized buffer being returned. Afterwards, the function will use the 0xffffffff length to read the atom into the zero-sized buffer.\n \n \n =================================================================\n ==207==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf1200751 at pc 0x004dbfb7 bp 0xffa69d58 sp 0xffa69938\n WRITE of size 496 at 0xf1200751 thread T0\n #0 0x4dbfb6 in __asan_memcpy (/root/harness/parser32.asan+0x4dbfb6)\n #1 0xf44521d0 in gf_bs_read_data /root/src/utils/bitstream.c:672:5\n #2 0xf5041db8 in sdp_box_read /root/src/isomedia/box_code_base.c:1897:2\n #3 0xf5227097 in gf_isom_box_read /root/src/isomedia/box_funcs.c:1808:9\n #4 0xf5221c28 in gf_isom_box_parse_ex /root/src/isomedia/box_funcs.c:265:14\n #5 0xf5277ced in gf_isom_parse_root_box /root/src/isomedia/box_funcs.c:38:8\n #6 0xf5277ced in gf_isom_parse_movie_boxes_internal /root/src/isomedia/isom_intern.c:318:7\n #7 0xf5276bc0 in gf_isom_parse_movie_boxes /root/src/isomedia/isom_intern.c:777:6\n #8 0xf528a3f7 in gf_isom_open_file /root/src/isomedia/isom_intern.c:897:19\n #9 0xf52a3061 in gf_isom_open /root/src/isomedia/isom_read.c:509:11\n #10 0x512f6a in main /root/harness/parser.c:50:13\n #11 0xf3a04ee4 in __libc_start_main (/lib32/libc.so.6+0x1eee4)\n #12 0x4621e5 in _start (/root/harness/parser32.asan+0x4621e5)\n \n 0xf1200751 is located 0 bytes to the right of 1-byte region [0xf1200750,0xf1200751)\n allocated by thread T0 here:\n #0 0x4dcb75 in malloc (/root/harness/parser32.asan+0x4dcb75)\n #1 0xf5041d53 in gf_malloc /root/src/utils/alloc.c:150:9\n #2 0xf5041d53 in sdp_box_read /root/src/isomedia/box_code_base.c:1894:24\n #3 0xf5227097 in gf_isom_box_read /root/src/isomedia/box_funcs.c:1808:9\n #4 0xf5221c28 in gf_isom_box_parse_ex /root/src/isomedia/box_funcs.c:265:14\n #5 0xf5277ced in gf_isom_parse_root_box /root/src/isomedia/box_funcs.c:38:8\n #6 0xf5277ced in gf_isom_parse_movie_boxes_internal /root/src/isomedia/isom_intern.c:318:7\n #7 0xf5276bc0 in gf_isom_parse_movie_boxes /root/src/isomedia/isom_intern.c:777:6\n #8 0xf528a3f7 in gf_isom_open_file /root/src/isomedia/isom_intern.c:897:19\n #9 0xf52a3061 in gf_isom_open /root/src/isomedia/isom_read.c:509:11\n #10 0x512f6a in main /root/harness/parser.c:50:13\n #11 0xf3a04ee4 in __libc_start_main (/lib32/libc.so.6+0x1eee4)\n \n SUMMARY: AddressSanitizer: heap-buffer-overflow (/root/harness/parser32.asan+0x4dbfb6) in __asan_memcpy\n Shadow bytes around the buggy address:\n 0x3e240090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n 0x3e2400a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n 0x3e2400b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n 0x3e2400c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n 0x3e2400d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n =>0x3e2400e0: fa fa fa fa fa fa fa fa fa fa[01]fa fa fa fd fa\n 0x3e2400f0: fa fa 00 fa fa fa 00 04 fa fa fa fa fa fa fa fa\n 0x3e240100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n 0x3e240110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n 0x3e240120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n 0x3e240130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n Shadow byte legend (one shadow byte represents 8 application bytes):\n Addressable: 00\n Partially addressable: 01 02 03 04 05 06 07 \n Heap left redzone: fa\n Freed heap region: fd\n Stack left redzone: f1\n Stack mid redzone: f2\n Stack right redzone: f3\n Stack after return: f5\n Stack use after scope: f8\n Global redzone: f9\n Global init order: f6\n Poisoned by user: f7\n Container overflow: fc\n Array cookie: ac\n Intra object redzone: bb\n ASan internal: fe\n Left alloca redzone: ca\n Right alloca redzone: cb\n Shadow gap: cc\n ==207==ABORTING\n \n\n#### CVE-2021-21856 - \u201csvhd\u201d decoder\n\nThe following function is responsible for parsing atoms that use the \u201csvhd\u201d FOURCC code. This implementation is used to read a string from the atom\u2019s contents. At [25], the function will take the 64-bit atom size, add 1 to it, and then truncate it to 32-bits prior to passing it to the `gf_malloc` function. Due to the 32-bit truncation, if the atom size is set to `UINT_MAX`, this can result in a zero-sized buffer being returned by `gf_malloc`. After verifying the allocation was successful, the function will read the contents of the atom into the zero-sized array, and then null-terminate the string. Due to the size of the buffer being 0, this will write outside the bounds of the allocation resulting in a heap-based buffer overflow.\n \n \n src/isomedia/box_code_base.c:12577\n GF_Err svhd_box_read(GF_Box *s, GF_BitStream *bs)\n {\n GF_SphericalVideoInfoBox *ptr = (GF_SphericalVideoInfoBox *)s;\n ptr->string = gf_malloc(sizeof(char) * ((u32) ptr->size+1)); // [25] add 1 and then clamp size to 32-bits\n if (!ptr->string) return GF_OUT_OF_MEM;\n gf_bs_read_data(bs, ptr->string, (u32) ptr->size); // [26] read into undersized array\n ptr->string[ptr->size] = 0; // [26] null-terminate string read from atom\n return GF_OK;\n }\n \n\n#### Crash Information\n\nIn the provided proof-of-concept, the atom\u2019s 64-bit size is set to 0x100000013. After the 0x10 byte header is read, 4 bytes are read for the 8-bit \u201cVersion\u201d and the 24-bit \u201cFlags\u201d. This sets the length to 0xffffffff. When 1 is added to this length, this will result in 0x100000000 which when truncated will result in a zero-sized allocation being read. Afterwards, the parser will read 0xffffffff bytes from the atom into the zero-sized buffer causing a buffer overflow.\n \n \n =================================================================\n ==257==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf1100751 at pc 0x004dbfb7 bp 0xffa4fdf8 sp 0xffa4f9d8\n WRITE of size 492 at 0xf1100751 thread T0\n #0 0x4dbfb6 in __asan_memcpy (/root/harness/parser32.asan+0x4dbfb6)\n #1 0xf43cb1d0 in gf_bs_read_data /root/src/utils/bitstream.c:672:5\n #2 0xf50cbf9b in svhd_box_read /root/src/isomedia/box_code_base.c:12582:2\n #3 0xf51a0097 in gf_isom_box_read /root/src/isomedia/box_funcs.c:1808:9\n #4 0xf519ad5d in gf_isom_box_parse_ex /root/src/isomedia/box_funcs.c:265:14\n #5 0xf51f0ced in gf_isom_parse_root_box /root/src/isomedia/box_funcs.c:38:8\n #6 0xf51f0ced in gf_isom_parse_movie_boxes_internal /root/src/isomedia/isom_intern.c:318:7\n #7 0xf51efbc0 in gf_isom_parse_movie_boxes /root/src/isomedia/isom_intern.c:777:6\n #8 0xf52033f7 in gf_isom_open_file /root/src/isomedia/isom_intern.c:897:19\n #9 0xf521c061 in gf_isom_open /root/src/isomedia/isom_read.c:509:11\n #10 0x512f6a in main /root/harness/parser.c:50:13\n #11 0xf397dee4 in __libc_start_main (/lib32/libc.so.6+0x1eee4)\n #12 0x4621e5 in _start (/root/harness/parser32.asan+0x4621e5)\n \n 0xf1100751 is located 0 bytes to the right of 1-byte region [0xf1100750,0xf1100751)\n allocated by thread T0 here:\n #0 0x4dcb75 in malloc (/root/harness/parser32.asan+0x4dcb75)\n #1 0xf50cbed8 in gf_malloc /root/src/utils/alloc.c:150:9\n #2 0xf50cbed8 in svhd_box_read /root/src/isomedia/box_code_base.c:12580:16\n #3 0xf51a0097 in gf_isom_box_read /root/src/isomedia/box_funcs.c:1808:9\n #4 0xf519ad5d in gf_isom_box_parse_ex /root/src/isomedia/box_funcs.c:265:14\n #5 0xf51f0ced in gf_isom_parse_root_box /root/src/isomedia/box_funcs.c:38:8\n #6 0xf51f0ced in gf_isom_parse_movie_boxes_internal /root/src/isomedia/isom_intern.c:318:7\n #7 0xf51efbc0 in gf_isom_parse_movie_boxes /root/src/isomedia/isom_intern.c:777:6\n #8 0xf52033f7 in gf_isom_open_file /root/src/isomedia/isom_intern.c:897:19\n #9 0xf521c061 in gf_isom_open /root/src/isomedia/isom_read.c:509:11\n #10 0x512f6a in main /root/harness/parser.c:50:13\n #11 0xf397dee4 in __libc_start_main (/lib32/libc.so.6+0x1eee4)\n \n SUMMARY: AddressSanitizer: heap-buffer-overflow (/root/harness/parser32.asan+0x4dbfb6) in __asan_memcpy\n Shadow bytes around the buggy address:\n 0x3e220090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n 0x3e2200a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n 0x3e2200b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n 0x3e2200c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n 0x3e2200d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n =>0x3e2200e0: fa fa fa fa fa fa fa fa fa fa[01]fa fa fa fd fa\n 0x3e2200f0: fa fa 00 fa fa fa 00 04 fa fa fa fa fa fa fa fa\n 0x3e220100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n 0x3e220110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n 0x3e220120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n 0x3e220130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n Shadow byte legend (one shadow byte represents 8 application bytes):\n Addressable: 00\n Partially addressable: 01 02 03 04 05 06 07 \n Heap left redzone: fa\n Freed heap region: fd\n Stack left redzone: f1\n Stack mid redzone: f2\n Stack right redzone: f3\n Stack after return: f5\n Stack use after scope: f8\n Global redzone: f9\n Global init order: f6\n Poisoned by user: f7\n Container overflow: fc\n Array cookie: ac\n Intra object redzone: bb\n ASan internal: fe\n Left alloca redzone: ca\n Right alloca redzone: cb\n Shadow gap: cc\n ==257==ABORTING\n \n\n#### CVE-2021-21857 - \u201ctxtc\u201d decoder\n\nThe implementation of the parser for the \u201ctxtc\u201d FOURCC code is responsible for reading a string from the atom, and then null-terminating it. At [27], the function will take the 32-bit size and add 1 to it before truncating it to a 32-bit integer and then passing it as a parameter to the `gf_malloc` function. If the atom size is set to `UINT_MAX`, this addition when truncated to a 32-bit integer can result in an integer overflow causing the allocation to return a zero-sized buffer. Afterwards at [29], the function will use the original non-truncated atom size to read the contents of the atom into the zero-sized buffer. This will then cause a heap-based buffer overflow when reading the string from the atom, and then null-terminating it.\n \n \n src/isomedia/box_code_base.c:8518\n GF_Err txtc_box_read(GF_Box *s, GF_BitStream *bs)\n {\n GF_TextConfigBox *ptr = (GF_TextConfigBox*)s;\n ptr->config = (char *)gf_malloc(sizeof(char)*((u32) ptr->size+1)); // [27] add 1 to atom size and truncate to 32-bits\n if (!ptr->config) return GF_OUT_OF_MEM;\n gf_bs_read_data(bs, ptr->config, (u32) ptr->size); // [28] read into buffer using original 32-bit size\n ptr->config[ptr->size] = 0; // [29] null-terminate allocated buffer\n return GF_OK;\n }\n \n\n#### Crash Information\n\nThe provided proof-of-concept sets the atom\u2019s 64-bit size to 0x100000013. After subtracting 0x10 bytes for the header, 4 bytes are read for the 8-bit \u201cVersion\u201d and the 24-bit \u201cFlags\u201d. This results in a length of 0xffffffff. The allocation adds 1 to this length resulting in 0x100000000, which when truncated results in a zero-sized allocation being made. Afterwards, the function will read 0xffffffff bytes into this zero-sized buffer causing the buffer overflow.\n \n \n =================================================================\n ==277==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf1200751 at pc 0x004dbfb7 bp 0xffd37778 sp 0xffd37358\n WRITE of size 492 at 0xf1200751 thread T0\n #0 0x4dbfb6 in __asan_memcpy (/root/harness/parser32.asan+0x4dbfb6)\n #1 0xf44a21d0 in gf_bs_read_data /root/src/utils/bitstream.c:672:5\n #2 0xf513097b in txtc_box_read /root/src/isomedia/box_code_base.c:8523:2\n #3 0xf5277097 in gf_isom_box_read /root/src/isomedia/box_funcs.c:1808:9\n #4 0xf5271d5d in gf_isom_box_parse_ex /root/src/isomedia/box_funcs.c:265:14\n #5 0xf52c7ced in gf_isom_parse_root_box /root/src/isomedia/box_funcs.c:38:8\n #6 0xf52c7ced in gf_isom_parse_movie_boxes_internal /root/src/isomedia/isom_intern.c:318:7\n #7 0xf52c6bc0 in gf_isom_parse_movie_boxes /root/src/isomedia/isom_intern.c:777:6\n #8 0xf52da3f7 in gf_isom_open_file /root/src/isomedia/isom_intern.c:897:19\n #9 0xf52f3061 in gf_isom_open /root/src/isomedia/isom_read.c:509:11\n #10 0x512f6a in main /root/harness/parser.c:50:13\n #11 0xf3a54ee4 in __libc_start_main (/lib32/libc.so.6+0x1eee4)\n #12 0x4621e5 in _start (/root/harness/parser32.asan+0x4621e5)\n \n 0xf1200751 is located 0 bytes to the right of 1-byte region [0xf1200750,0xf1200751)\n allocated by thread T0 here:\n #0 0x4dcb75 in malloc (/root/harness/parser32.asan+0x4dcb75)\n #1 0xf51308b8 in gf_malloc /root/src/utils/alloc.c:150:9\n #2 0xf51308b8 in txtc_box_read /root/src/isomedia/box_code_base.c:8521:24\n #3 0xf5277097 in gf_isom_box_read /root/src/isomedia/box_funcs.c:1808:9\n #4 0xf5271d5d in gf_isom_box_parse_ex /root/src/isomedia/box_funcs.c:265:14\n #5 0xf52c7ced in gf_isom_parse_root_box /root/src/isomedia/box_funcs.c:38:8\n #6 0xf52c7ced in gf_isom_parse_movie_boxes_internal /root/src/isomedia/isom_intern.c:318:7\n #7 0xf52c6bc0 in gf_isom_parse_movie_boxes /root/src/isomedia/isom_intern.c:777:6\n #8 0xf52da3f7 in gf_isom_open_file /root/src/isomedia/isom_intern.c:897:19\n #9 0xf52f3061 in gf_isom_open /root/src/isomedia/isom_read.c:509:11\n #10 0x512f6a in main /root/harness/parser.c:50:13\n #11 0xf3a54ee4 in __libc_start_main (/lib32/libc.so.6+0x1eee4)\n \n SUMMARY: AddressSanitizer: heap-buffer-overflow (/root/harness/parser32.asan+0x4dbfb6) in __asan_memcpy\n Shadow bytes around the buggy address:\n 0x3e240090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n 0x3e2400a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n 0x3e2400b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n 0x3e2400c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n 0x3e2400d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n =>0x3e2400e0: fa fa fa fa fa fa fa fa fa fa[01]fa fa fa fd fa\n 0x3e2400f0: fa fa 00 fa fa fa 00 04 fa fa fa fa fa fa fa fa\n 0x3e240100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n 0x3e240110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n 0x3e240120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n 0x3e240130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n Shadow byte legend (one shadow byte represents 8 application bytes):\n Addressable: 00\n Partially addressable: 01 02 03 04 05 06 07 \n Heap left redzone: fa\n Freed heap region: fd\n Stack left redzone: f1\n Stack mid redzone: f2\n Stack right redzone: f3\n Stack after return: f5\n Stack use after scope: f8\n Global redzone: f9\n Global init order: f6\n Poisoned by user: f7\n Container overflow: fc\n Array cookie: ac\n Intra object redzone: bb\n ASan internal: fe\n Left alloca redzone: ca\n Right alloca redzone: cb\n Shadow gap: cc\n ==277==ABORTING\n \n\n#### CVE-2021-21858 - \u201curl \u201c decoder\n\nThe following function is the parser used by the library in order to read the contents of an atom using the \u201curl \u201c FOURCC code. This function will first check that the 64-atom size is non-zero, and then at [30] will truncate the atom size to 32-bits when allocating space on the heap. After reading the contents of the atom using the 32-bit truncated size, the function will then use the original 64-bit size when accessing the allocated heap buffer. Due to the allocated size being truncated to 32-bits, this can result in an out-of-bounds read on 64-bit platforms.\n \n \n src/isomedia/box_code_base.c:575\n GF_Err url_box_read(GF_Box *s, GF_BitStream *bs)\n {\n GF_DataEntryURLBox *ptr = (GF_DataEntryURLBox *)s;\n \n if (ptr->size) {\n ptr->location = (char*)gf_malloc((u32) ptr->size); // [30] truncate 64-bit atom size to 32-bits\n if (! ptr->location) return GF_OUT_OF_MEM;\n gf_bs_read_data(bs, ptr->location, (u32)ptr->size);\n if (ptr->location[ptr->size-1]) { // [31] use non-truncated 64-bit atom size to access array\n GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, (\"[iso file] url box location is not 0-terminated\\n\" ));\n return GF_ISOM_INVALID_FILE;\n }\n }\n return GF_OK;\n }\n \n\n#### Crash Information\n\nThe provided proof-of-concept sets the atom\u2019s 64-bit length to 0x100000014. After reading 0x10 bytes from the header, followed by 8-bits for the \u201cVersion\u201d, and 24-bits for the \u201cFlags\u201d, This will result in the length 0x100000000 being used for the allocation. When this value is truncated to 32-bits, this will result in a zero-sized allocation being made upon which the function will start by checking if the byte at the non-truncated 64-bit size has been set.\n \n \n =================================================================\n ==1319==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf200074f at pc 0xf58ed7a1 bp 0xffd6e6d8 sp 0xffd6e6d0\n READ of size 1 at 0xf200074f thread T0\n #0 0xf58ed7a0 in url_box_read /root/src/isomedia/box_code_base.c:583:7\n #1 0xf5a8b4e4 in gf_isom_box_read /root/src/isomedia/box_funcs.c:1808:9\n #2 0xf5a8b4e4 in gf_isom_box_parse_ex /root/src/isomedia/box_funcs.c:265:14\n #3 0xf5ad8638 in gf_isom_parse_root_box /root/src/isomedia/box_funcs.c:38:8\n #4 0xf5ad8638 in gf_isom_parse_movie_boxes_internal /root/src/isomedia/isom_intern.c:318:7\n #5 0xf5ad8638 in gf_isom_parse_movie_boxes /root/src/isomedia/isom_intern.c:777:6\n #6 0xf5ae76f2 in gf_isom_open_file /root/src/isomedia/isom_intern.c:897:19\n #7 0xf5af9bf1 in gf_isom_open /root/src/isomedia/isom_read.c:509:11\n #8 0x512f6a in main /root/harness/parser.c:50:13\n #9 0xf4882ee4 in __libc_start_main (/lib32/libc.so.6+0x1eee4)\n #10 0x4621e5 in _start (/root/harness/parser32.asan+0x4621e5)\n \n 0xf200074f is located 1 bytes to the left of 1-byte region [0xf2000750,0xf2000751)\n allocated by thread T0 here:\n #0 0x4dcb75 in malloc (/root/harness/parser32.asan+0x4dcb75)\n #1 0xf58ed1e7 in gf_malloc /root/src/utils/alloc.c:150:9\n #2 0xf58ed1e7 in url_box_read /root/src/isomedia/box_code_base.c:580:26\n #3 0xf5a8b4e4 in gf_isom_box_read /root/src/isomedia/box_funcs.c:1808:9\n #4 0xf5a8b4e4 in gf_isom_box_parse_ex /root/src/isomedia/box_funcs.c:265:14\n #5 0xf5ad8638 in gf_isom_parse_root_box /root/src/isomedia/box_funcs.c:38:8\n #6 0xf5ad8638 in gf_isom_parse_movie_boxes_internal /root/src/isomedia/isom_intern.c:318:7\n #7 0xf5ad8638 in gf_isom_parse_movie_boxes /root/src/isomedia/isom_intern.c:777:6\n #8 0xf5ae76f2 in gf_isom_open_file /root/src/isomedia/isom_intern.c:897:19\n #9 0xf5af9bf1 in gf_isom_open /root/src/isomedia/isom_read.c:509:11\n #10 0x512f6a in main /root/harness/parser.c:50:13\n #11 0xf4882ee4 in __libc_start_main (/lib32/libc.so.6+0x1eee4)\n \n SUMMARY: AddressSanitizer: heap-buffer-overflow /root/src/isomedia/box_code_base.c:583:7 in url_box_read\n Shadow bytes around the buggy address:\n 0x3e400090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n 0x3e4000a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n 0x3e4000b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n 0x3e4000c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n 0x3e4000d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n =>0x3e4000e0: fa fa fa fa fa fa fa fa fa[fa]01 fa fa fa fd fa\n 0x3e4000f0: fa fa 00 fa fa fa 00 04 fa fa fa fa fa fa fa fa\n 0x3e400100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n 0x3e400110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n 0x3e400120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n 0x3e400130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n Shadow byte legend (one shadow byte represents 8 application bytes):\n Addressable: 00\n Partially addressable: 01 02 03 04 05 06 07 \n Heap left redzone: fa\n Freed heap region: fd\n Stack left redzone: f1\n Stack mid redzone: f2\n Stack right redzone: f3\n Stack after return: f5\n Stack use after scope: f8\n Global redzone: f9\n Global init order: f6\n Poisoned by user: f7\n Container overflow: fc\n Array cookie: ac\n Intra object redzone: bb\n ASan internal: fe\n Left alloca redzone: ca\n Right alloca redzone: cb\n Shadow gap: cc\n ==1319==ABORTING\n \n\n### Timeline\n\n2021-06-24 - Vendor Disclosure \n2021-08-11 - Vendor Patched \n2021-08-16 - Public Release\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-16T00:00:00", "type": "talos", "title": "GPAC Project Advanced Content MPEG-4 Decoding multiple integer addition overflow vulnerabilities", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21853", "CVE-2021-21854", "CVE-2021-21855", "CVE-2021-21856", "CVE-2021-21857", "CVE-2021-21858"], "modified": "2021-08-16T00:00:00", "id": "TALOS-2021-1299", "href": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2021-1299", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "mageia": [{"lastseen": "2022-04-18T11:19:35", "description": "A specially crafted MPEG-4 input when decoding the atom for the \"co64\" FOURCC can cause an integer overflow due to unchecked arithmetic resulting in a heap-based buffer overflow that causes memory corruption. (CVE-2021-21834) A specially crafted MPEG-4 input using the \"ctts\" FOURCC code can cause an integer overflow due to unchecked arithmetic resulting in a heap-based buffer overflow that causes memory corruption. (CVE-2021-21836) A specially crafted MPEG-4 input can cause an integer overflow due to unchecked arithmetic resulting in a heap-based buffer overflow that causes memory corruption. (CVE-2021-21837, CVE-2021-21838, CVE-2021-21839) A specially crafted MPEG-4 input used to process an atom using the \"saio\" FOURCC code cause an integer overflow due to unchecked arithmetic resulting in a heap-based buffer overflow that causes memory corruption. (CVE-2021-21840) A specially crafted MPEG-4 input when reading an atom using the 'sbgp' FOURCC code can cause an integer overflow due to unchecked arithmetic resulting in a heap-based buffer overflow that causes memory corruption. (CVE-2021-21841) A specially crafted MPEG-4 input can cause an integer overflow when processing an atom using the 'ssix' FOURCC code, due to unchecked arithmetic resulting in a heap-based buffer overflow that causes memory corruption. (CVE-2021-21842) A specially crafted MPEG-4 input can cause an integer overflow due to unchecked arithmetic resulting in a heap-based buffer overflow that causes memory corruption. After validating the number of ranges, at [41] the library will multiply the count by the size of the GF_SubsegmentRangeInfo structure. On a 32-bit platform, this multiplication can result in an integer overflow causing the space of the array being allocated to be less than expected. (CVE-2021-21843) A specially crafted MPEG-4 input when encountering an atom using the \"stco\" FOURCC code, can cause an integer overflow due to unchecked arithmetic resulting in a heap-based buffer overflow that causes memory corruption. (CVE-2021-21844) A specially crafted MPEG-4 input in \"stsc\" decoder can cause an integer overflow due to unchecked arithmetic resulting in a heap-based buffer overflow that causes memory corruption. (CVE-2021-21845) A specially crafted MPEG-4 input in \"stsz&\" decoder can cause an integer overflow due to unchecked arithmetic resulting in a heap-based buffer overflow that causes memory corruption. (CVE-2021-21846) A specially crafted MPEG-4 input in \"stts\" decoder can cause an integer overflow due to unchecked arithmetic resulting in a heap-based buffer overflow that causes memory corruption. (CVE-2021-21847) The library will actually reuse the parser for atoms with the \"stsz\" FOURCC code when parsing atoms that use the \"stz2\" FOURCC code and can cause an integer overflow due to unchecked arithmetic resulting in a heap-based buffer overflow that causes memory corruption. (CVE-2021-21848) A specially crafted MPEG-4 input can cause an integer overflow when the library encounters an atom using the \"tfra\" FOURCC code due to unchecked arithmetic resulting in a heap-based buffer overflow that causes memory corruption. (CVE-2021-21849) A specially crafted MPEG-4 input can cause an integer overflow when the library encounters an atom using the \"trun\" FOURCC code due to unchecked arithmetic resulting in a heap-based buffer overflow that causes memory corruption. (CVE-2021-21850) A specially crafted MPEG-4 input can cause an integer overflow due to unchecked addition arithmetic resulting in a heap-based buffer overflow that causes memory corruption. (CVE-2021-21853, CVE-2021-21854, CVE-2021-21855, CVE-2021-21857, CVE-2021-21858) The stri_box_read function is used when processing atoms using the 'stri' FOURCC code. (CVE-2021-21859) A specially crafted MPEG-4 input can cause an improper memory allocation resulting in a heap-based buffer overflow that causes memory corruption. The FOURCC code, 'trik', is parsed by the function within the library. (CVE-2021-21860) When processing the 'hdlr' FOURCC code, a specially crafted MPEG-4 input can cause an improper memory allocation resulting in a heap-based buffer overflow that causes memory corruption. (CVE-2021-21861) \n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-09-23T04:49:29", "type": "mageia", "title": "Updated gpac packages fix security vulnerability\n", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21834", "CVE-2021-21836", "CVE-2021-21837", "CVE-2021-21838", "CVE-2021-21839", "CVE-2021-21840", "CVE-2021-21841", "CVE-2021-21842", "CVE-2021-21843", "CVE-2021-21844", "CVE-2021-21845", "CVE-2021-21846", "CVE-2021-21847", "CVE-2021-21848", "CVE-2021-21849", "CVE-2021-21850", "CVE-2021-21853", "CVE-2021-21854", "CVE-2021-21855", "CVE-2021-21857", "CVE-2021-21858", "CVE-2021-21859", "CVE-2021-21860", "CVE-2021-21861"], "modified": "2021-09-23T04:49:29", "id": "MGASA-2021-0431", "href": "https://advisories.mageia.org/MGASA-2021-0431.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2022-01-30T00:56:12", "description": "The remote Debian 11 host has packages installed that are affected by multiple vulnerabilities as referenced in the dsa-4966 advisory.\n\n - An exploitable integer overflow vulnerability exists within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1. A specially crafted MPEG-4 input when decoding the atom for the co64 FOURCC can cause an integer overflow due to unchecked arithmetic resulting in a heap-based buffer overflow that causes memory corruption. An attacker can convince a user to open a video to trigger this vulnerability. (CVE-2021-21834)\n\n - An exploitable integer overflow vulnerability exists within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1. A specially crafted MPEG-4 input using the ctts FOURCC code can cause an integer overflow due to unchecked arithmetic resulting in a heap-based buffer overflow that causes memory corruption. An attacker can convince a user to open a video to trigger this vulnerability.\n (CVE-2021-21836)\n\n - Multiple exploitable integer overflow vulnerabilities exist within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1. A specially crafted MPEG-4 input can cause an integer overflow due to unchecked arithmetic resulting in a heap-based buffer overflow that causes memory corruption. An attacker can convince a user to open a video to trigger this vulnerability.\n (CVE-2021-21837, CVE-2021-21838, CVE-2021-21839)\n\n - An exploitable integer overflow vulnerability exists within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1. A specially crafted MPEG-4 input used to process an atom using the saio FOURCC code cause an integer overflow due to unchecked arithmetic resulting in a heap-based buffer overflow that causes memory corruption. An attacker can convince a user to open a video to trigger this vulnerability. (CVE-2021-21840)\n\n - An exploitable integer overflow vulnerability exists within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1. A specially crafted MPEG-4 input when reading an atom using the 'sbgp' FOURCC code can cause an integer overflow due to unchecked arithmetic resulting in a heap-based buffer overflow that causes memory corruption. An attacker can convince a user to open a video to trigger this vulnerability. (CVE-2021-21841)\n\n - An exploitable integer overflow vulnerability exists within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1. A specially crafted MPEG-4 input can cause an integer overflow when processing an atom using the 'ssix' FOURCC code, due to unchecked arithmetic resulting in a heap- based buffer overflow that causes memory corruption. An attacker can convince a user to open a video to trigger this vulnerability. (CVE-2021-21842)\n\n - Multiple exploitable integer overflow vulnerabilities exist within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1. A specially crafted MPEG-4 input can cause an integer overflow due to unchecked arithmetic resulting in a heap-based buffer overflow that causes memory corruption. After validating the number of ranges, at [41] the library will multiply the count by the size of the GF_SubsegmentRangeInfo structure. On a 32-bit platform, this multiplication can result in an integer overflow causing the space of the array being allocated to be less than expected. An attacker can convince a user to open a video to trigger this vulnerability. (CVE-2021-21843)\n\n - Multiple exploitable integer overflow vulnerabilities exist within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1. A specially crafted MPEG-4 input when encountering an atom using the stco FOURCC code, can cause an integer overflow due to unchecked arithmetic resulting in a heap-based buffer overflow that causes memory corruption. An attacker can convince a user to open a video to trigger this vulnerability. (CVE-2021-21844)\n\n - Multiple exploitable integer overflow vulnerabilities exist within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1. A specially crafted MPEG-4 input in stsc decoder can cause an integer overflow due to unchecked arithmetic resulting in a heap-based buffer overflow that causes memory corruption. An attacker can convince a user to open a video to trigger this vulnerability.\n (CVE-2021-21845)\n\n - Multiple exploitable integer overflow vulnerabilities exist within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1. A specially crafted MPEG-4 input in stsz decoder can cause an integer overflow due to unchecked arithmetic resulting in a heap-based buffer overflow that causes memory corruption. An attacker can convince a user to open a video to trigger this vulnerability.\n (CVE-2021-21846)\n\n - Multiple exploitable integer overflow vulnerabilities exist within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1. A specially crafted MPEG-4 input in stts decoder can cause an integer overflow due to unchecked arithmetic resulting in a heap-based buffer overflow that causes memory corruption. An attacker can convince a user to open a video to trigger this vulnerability.\n (CVE-2021-21847)\n\n - An exploitable integer overflow vulnerability exists within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1. The library will actually reuse the parser for atoms with the stsz FOURCC code when parsing atoms that use the stz2 FOURCC code and can cause an integer overflow due to unchecked arithmetic resulting in a heap-based buffer overflow that causes memory corruption. An attacker can convince a user to open a video to trigger this vulnerability. (CVE-2021-21848)\n\n - An exploitable integer overflow vulnerability exists within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1. A specially crafted MPEG-4 input can cause an integer overflow when the library encounters an atom using the tfra FOURCC code due to unchecked arithmetic resulting in a heap-based buffer overflow that causes memory corruption. An attacker can convince a user to open a video to trigger this vulnerability. (CVE-2021-21849)\n\n - An exploitable integer overflow vulnerability exists within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1. A specially crafted MPEG-4 input can cause an integer overflow when the library encounters an atom using the trun FOURCC code due to unchecked arithmetic resulting in a heap-based buffer overflow that causes memory corruption. An attacker can convince a user to open a video to trigger this vulnerability. (CVE-2021-21850)\n\n - Multiple exploitable integer overflow vulnerabilities exist within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1. A specially crafted MPEG-4 input can cause an integer overflow due to unchecked addition arithmetic resulting in a heap-based buffer overflow that causes memory corruption. An attacker can convince a user to open a video to trigger this vulnerability.\n (CVE-2021-21853, CVE-2021-21854, CVE-2021-21855, CVE-2021-21857, CVE-2021-21858)\n\n - An exploitable integer truncation vulnerability exists within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1. The stri_box_read function is used when processing atoms using the 'stri' FOURCC code. An attacker can convince a user to open a video to trigger this vulnerability. (CVE-2021-21859)\n\n - An exploitable integer truncation vulnerability exists within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1. A specially crafted MPEG-4 input can cause an improper memory allocation resulting in a heap-based buffer overflow that causes memory corruption. The FOURCC code, 'trik', is parsed by the function within the library. An attacker can convince a user to open a video to trigger this vulnerability. (CVE-2021-21860)\n\n - An exploitable integer truncation vulnerability exists within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1. When processing the 'hdlr' FOURCC code, a specially crafted MPEG-4 input can cause an improper memory allocation resulting in a heap-based buffer overflow that causes memory corruption. An attacker can convince a user to open a video to trigger this vulnerability. (CVE-2021-21861)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 8.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2021-09-01T00:00:00", "type": "nessus", "title": "Debian DSA-4966-1 : gpac - security update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-21834", "CVE-2021-21836", "CVE-2021-21837", "CVE-2021-21838", "CVE-2021-21839", "CVE-2021-21840", "CVE-2021-21841", "CVE-2021-21842", "CVE-2021-21843", "CVE-2021-21844", "CVE-2021-21845", "CVE-2021-21846", "CVE-2021-21847", "CVE-2021-21848", "CVE-2021-21849", "CVE-2021-21850", "CVE-2021-21853", "CVE-2021-21854", "CVE-2021-21855", "CVE-2021-21857", "CVE-2021-21858", "CVE-2021-21859", "CVE-2021-21860", "CVE-2021-21861"], "modified": "2021-09-01T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:gpac", "p-cpe:/a:debian:debian_linux:gpac-modules-base", "p-cpe:/a:debian:debian_linux:libgpac-dev", "p-cpe:/a:debian:debian_linux:libgpac10", "cpe:/o:debian:debian_linux:11.0"], "id": "DEBIAN_DSA-4966.NASL", "href": "https://www.tenable.com/plugins/nessus/152943", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory dsa-4966. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(152943);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/09/01\");\n\n script_cve_id(\n \"CVE-2021-21834\",\n \"CVE-2021-21836\",\n \"CVE-2021-21837\",\n \"CVE-2021-21838\",\n \"CVE-2021-21839\",\n \"CVE-2021-21840\",\n \"CVE-2021-21841\",\n \"CVE-2021-21842\",\n \"CVE-2021-21843\",\n \"CVE-2021-21844\",\n \"CVE-2021-21845\",\n \"CVE-2021-21846\",\n \"CVE-2021-21847\",\n \"CVE-2021-21848\",\n \"CVE-2021-21849\",\n \"CVE-2021-21850\",\n \"CVE-2021-21853\",\n \"CVE-2021-21854\",\n \"CVE-2021-21855\",\n \"CVE-2021-21857\",\n \"CVE-2021-21858\",\n \"CVE-2021-21859\",\n \"CVE-2021-21860\",\n \"CVE-2021-21861\"\n );\n\n script_name(english:\"Debian DSA-4966-1 : gpac - security update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Debian host is missing one or more security-related updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Debian 11 host has packages installed that are affected by multiple vulnerabilities as referenced in the\ndsa-4966 advisory.\n\n - An exploitable integer overflow vulnerability exists within the MPEG-4 decoding functionality of the GPAC\n Project on Advanced Content library v1.0.1. A specially crafted MPEG-4 input when decoding the atom for\n the co64 FOURCC can cause an integer overflow due to unchecked arithmetic resulting in a heap-based\n buffer overflow that causes memory corruption. An attacker can convince a user to open a video to trigger\n this vulnerability. (CVE-2021-21834)\n\n - An exploitable integer overflow vulnerability exists within the MPEG-4 decoding functionality of the GPAC\n Project on Advanced Content library v1.0.1. A specially crafted MPEG-4 input using the ctts FOURCC code\n can cause an integer overflow due to unchecked arithmetic resulting in a heap-based buffer overflow that\n causes memory corruption. An attacker can convince a user to open a video to trigger this vulnerability.\n (CVE-2021-21836)\n\n - Multiple exploitable integer overflow vulnerabilities exist within the MPEG-4 decoding functionality of\n the GPAC Project on Advanced Content library v1.0.1. A specially crafted MPEG-4 input can cause an integer\n overflow due to unchecked arithmetic resulting in a heap-based buffer overflow that causes memory\n corruption. An attacker can convince a user to open a video to trigger this vulnerability.\n (CVE-2021-21837, CVE-2021-21838, CVE-2021-21839)\n\n - An exploitable integer overflow vulnerability exists within the MPEG-4 decoding functionality of the GPAC\n Project on Advanced Content library v1.0.1. A specially crafted MPEG-4 input used to process an atom using\n the saio FOURCC code cause an integer overflow due to unchecked arithmetic resulting in a heap-based\n buffer overflow that causes memory corruption. An attacker can convince a user to open a video to trigger\n this vulnerability. (CVE-2021-21840)\n\n - An exploitable integer overflow vulnerability exists within the MPEG-4 decoding functionality of the GPAC\n Project on Advanced Content library v1.0.1. A specially crafted MPEG-4 input when reading an atom using\n the 'sbgp' FOURCC code can cause an integer overflow due to unchecked arithmetic resulting in a heap-based\n buffer overflow that causes memory corruption. An attacker can convince a user to open a video to trigger\n this vulnerability. (CVE-2021-21841)\n\n - An exploitable integer overflow vulnerability exists within the MPEG-4 decoding functionality of the GPAC\n Project on Advanced Content library v1.0.1. A specially crafted MPEG-4 input can cause an integer overflow\n when processing an atom using the 'ssix' FOURCC code, due to unchecked arithmetic resulting in a heap-\n based buffer overflow that causes memory corruption. An attacker can convince a user to open a video to\n trigger this vulnerability. (CVE-2021-21842)\n\n - Multiple exploitable integer overflow vulnerabilities exist within the MPEG-4 decoding functionality of\n the GPAC Project on Advanced Content library v1.0.1. A specially crafted MPEG-4 input can cause an integer\n overflow due to unchecked arithmetic resulting in a heap-based buffer overflow that causes memory\n corruption. After validating the number of ranges, at [41] the library will multiply the count by the size\n of the GF_SubsegmentRangeInfo structure. On a 32-bit platform, this multiplication can result in an\n integer overflow causing the space of the array being allocated to be less than expected. An attacker can\n convince a user to open a video to trigger this vulnerability. (CVE-2021-21843)\n\n - Multiple exploitable integer overflow vulnerabilities exist within the MPEG-4 decoding functionality of\n the GPAC Project on Advanced Content library v1.0.1. A specially crafted MPEG-4 input when encountering an\n atom using the stco FOURCC code, can cause an integer overflow due to unchecked arithmetic resulting in\n a heap-based buffer overflow that causes memory corruption. An attacker can convince a user to open a\n video to trigger this vulnerability. (CVE-2021-21844)\n\n - Multiple exploitable integer overflow vulnerabilities exist within the MPEG-4 decoding functionality of\n the GPAC Project on Advanced Content library v1.0.1. A specially crafted MPEG-4 input in stsc decoder\n can cause an integer overflow due to unchecked arithmetic resulting in a heap-based buffer overflow that\n causes memory corruption. An attacker can convince a user to open a video to trigger this vulnerability.\n (CVE-2021-21845)\n\n - Multiple exploitable integer overflow vulnerabilities exist within the MPEG-4 decoding functionality of\n the GPAC Project on Advanced Content library v1.0.1. A specially crafted MPEG-4 input in stsz decoder\n can cause an integer overflow due to unchecked arithmetic resulting in a heap-based buffer overflow that\n causes memory corruption. An attacker can convince a user to open a video to trigger this vulnerability.\n (CVE-2021-21846)\n\n - Multiple exploitable integer overflow vulnerabilities exist within the MPEG-4 decoding functionality of\n the GPAC Project on Advanced Content library v1.0.1. A specially crafted MPEG-4 input in stts decoder\n can cause an integer overflow due to unchecked arithmetic resulting in a heap-based buffer overflow that\n causes memory corruption. An attacker can convince a user to open a video to trigger this vulnerability.\n (CVE-2021-21847)\n\n - An exploitable integer overflow vulnerability exists within the MPEG-4 decoding functionality of the GPAC\n Project on Advanced Content library v1.0.1. The library will actually reuse the parser for atoms with the\n stsz FOURCC code when parsing atoms that use the stz2 FOURCC code and can cause an integer overflow\n due to unchecked arithmetic resulting in a heap-based buffer overflow that causes memory corruption. An\n attacker can convince a user to open a video to trigger this vulnerability. (CVE-2021-21848)\n\n - An exploitable integer overflow vulnerability exists within the MPEG-4 decoding functionality of the GPAC\n Project on Advanced Content library v1.0.1. A specially crafted MPEG-4 input can cause an integer overflow\n when the library encounters an atom using the tfra FOURCC code due to unchecked arithmetic resulting in\n a heap-based buffer overflow that causes memory corruption. An attacker can convince a user to open a\n video to trigger this vulnerability. (CVE-2021-21849)\n\n - An exploitable integer overflow vulnerability exists within the MPEG-4 decoding functionality of the GPAC\n Project on Advanced Content library v1.0.1. A specially crafted MPEG-4 input can cause an integer overflow\n when the library encounters an atom using the trun FOURCC code due to unchecked arithmetic resulting in\n a heap-based buffer overflow that causes memory corruption. An attacker can convince a user to open a\n video to trigger this vulnerability. (CVE-2021-21850)\n\n - Multiple exploitable integer overflow vulnerabilities exist within the MPEG-4 decoding functionality of\n the GPAC Project on Advanced Content library v1.0.1. A specially crafted MPEG-4 input can cause an integer\n overflow due to unchecked addition arithmetic resulting in a heap-based buffer overflow that causes memory\n corruption. An attacker can convince a user to open a video to trigger this vulnerability.\n (CVE-2021-21853, CVE-2021-21854, CVE-2021-21855, CVE-2021-21857, CVE-2021-21858)\n\n - An exploitable integer truncation vulnerability exists within the MPEG-4 decoding functionality of the\n GPAC Project on Advanced Content library v1.0.1. The stri_box_read function is used when processing atoms\n using the 'stri' FOURCC code. An attacker can convince a user to open a video to trigger this\n vulnerability. (CVE-2021-21859)\n\n - An exploitable integer truncation vulnerability exists within the MPEG-4 decoding functionality of the\n GPAC Project on Advanced Content library v1.0.1. A specially crafted MPEG-4 input can cause an improper\n memory allocation resulting in a heap-based buffer overflow that causes memory corruption. The FOURCC\n code, 'trik', is parsed by the function within the library. An attacker can convince a user to open a\n video to trigger this vulnerability. (CVE-2021-21860)\n\n - An exploitable integer truncation vulnerability exists within the MPEG-4 decoding functionality of the\n GPAC Project on Advanced Content library v1.0.1. When processing the 'hdlr' FOURCC code, a specially\n crafted MPEG-4 input can cause an improper memory allocation resulting in a heap-based buffer overflow\n that causes memory corruption. An attacker can convince a user to open a video to trigger this\n vulnerability. (CVE-2021-21861)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/source-package/gpac\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.debian.org/security/2021/dsa-4966\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/CVE-2021-21834\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/CVE-2021-21836\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/CVE-2021-21837\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/CVE-2021-21838\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/CVE-2021-21839\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/CVE-2021-21840\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/CVE-2021-21841\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/CVE-2021-21842\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/CVE-2021-21843\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/CVE-2021-21844\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/CVE-2021-21845\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/CVE-2021-21846\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/CVE-2021-21847\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/CVE-2021-21848\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/CVE-2021-21849\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/CVE-2021-21850\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/CVE-2021-21853\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/CVE-2021-21854\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/CVE-2021-21855\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/CVE-2021-21857\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/CVE-2021-21858\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/CVE-2021-21859\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/CVE-2021-21860\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/CVE-2021-21861\");\n script_set_attribute(attribute:\"see_also\", value:\"https://packages.debian.org/source/bullseye/gpac\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade the gpac packages.\n\nFor the stable distribution (bullseye), these problems have been fixed in version 1.0.1+dfsg1-4+deb11u1.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-21861\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/08/16\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/08/31\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/09/01\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:gpac\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:gpac-modules-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libgpac-dev\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libgpac10\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:11.0\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Debian Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('debian_package.inc');\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar release = get_kb_item('Host/Debian/release');\nif ( isnull(release) ) audit(AUDIT_OS_NOT, 'Debian');\nvar release = chomp(release);\nif (! preg(pattern:\"^(11)\\.[0-9]+\", string:release)) audit(AUDIT_OS_NOT, 'Debian 11.0', 'Debian ' + release);\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Debian', cpu);\n\nvar pkgs = [\n {'release': '11.0', 'prefix': 'gpac', 'reference': '1.0.1+dfsg1-4+deb11u1'},\n {'release': '11.0', 'prefix': 'gpac-modules-base', 'reference': '1.0.1+dfsg1-4+deb11u1'},\n {'release': '11.0', 'prefix': 'libgpac-dev', 'reference': '1.0.1+dfsg1-4+deb11u1'},\n {'release': '11.0', 'prefix': 'libgpac10', 'reference': '1.0.1+dfsg1-4+deb11u1'}\n];\n\nvar flag = 0;\nforeach package_array ( pkgs ) {\n var release = NULL;\n var prefix = NULL;\n var reference = NULL;\n if (!empty_or_null(package_array['release'])) release = package_array['release'];\n if (!empty_or_null(package_array['prefix'])) prefix = package_array['prefix'];\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (release && prefix && reference) {\n if (deb_check(release:release, prefix:prefix, reference:reference)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : deb_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = deb_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'gpac / gpac-modules-base / libgpac-dev / libgpac10');\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "debian": [{"lastseen": "2021-11-28T08:52:35", "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-4966-1 security@debian.org\nhttps://www.debian.org/security/ Moritz Muehlenhoff\nAugust 31, 2021 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : gpac\nCVE ID : CVE-2021-21834 CVE-2021-21836 CVE-2021-21837 CVE-2021-21838 \n CVE-2021-21839 CVE-2021-21840 CVE-2021-21841 CVE-2021-21842 \n CVE-2021-21843 CVE-2021-21844 CVE-2021-21845 CVE-2021-21846 \n CVE-2021-21847 CVE-2021-21848 CVE-2021-21849 CVE-2021-21850 \n CVE-2021-21853 CVE-2021-21854 CVE-2021-21855 CVE-2021-21857\n\t\t CVE-2021-21858 CVE-2021-21859 CVE-2021-21860 CVE-2021-21861\n\nMultiple security issues were discovered in the GPAC multimedia framework\nwhich could result in denial of service or the execution of arbitrary code.\n\nThe oldstable distribution (buster) is not affected.\n\nFor the stable distribution (bullseye), these problems have been fixed in\nversion 1.0.1+dfsg1-4+deb11u1.\n\nWe recommend that you upgrade your gpac packages.\n\nFor the detailed security status of gpac please refer to\nits security tracker page at:\nhttps://security-tracker.debian.org/tracker/gpac\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-31T21:07:40", "type": "debian", "title": "[SECURITY] [DSA 4966-1] gpac security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21834", "CVE-2021-21836", "CVE-2021-21837", "CVE-2021-21838", "CVE-2021-21839", "CVE-2021-21840", "CVE-2021-21841", "CVE-2021-21842", "CVE-2021-21843", "CVE-2021-21844", "CVE-2021-21845", "CVE-2021-21846", "CVE-2021-21847", "CVE-2021-21848", "CVE-2021-21849", "CVE-2021-21850", "CVE-2021-21853", "CVE-2021-21854", "CVE-2021-21855", "CVE-2021-21857", "CVE-2021-21858", "CVE-2021-21859", "CVE-2021-21860", "CVE-2021-21861"], "modified": "2021-08-31T21:07:40", "id": "DEBIAN:DSA-4966-1:64041", "href": "https://lists.debian.org/debian-security-announce/2021/msg00151.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}]}
