An issue was discovered in gpac version 2.3-DEV-rev588-g7edc40fee-master, allows remote attackers to execute arbitrary code, cause a denial of service (DoS), and obtain sensitive information via null pointer deference in gf_dash_setup_period component in media_tools/dash_client.c.
The vulnerability results from a lack of pointer validation before its use in the gf_dash_setup_period function located in the file media_tools/dash_client.c. An attacker can remotely trigger a situation where the pointer takes a NULL value, leading to a null pointer dereference error. Such an error can result in process termination or, under favorable conditions, allow the attacker to take control of code execution.
An attacker can remotely execute arbitrary code (RCE), cause denial of service (DoS) through application crash, and gain access to sensitive data processed by the GPAC library.
Apply patches available from the vendor according to the references. It is recommended to monitor the official GPAC project repository (GitHub) to obtain the patched version and avoid processing untrusted DASH multimedia files until the patch is applied.
GPAC version 2.3-DEV-rev588-g7edc40fee-master
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HGpac
APPGpac2.3-dev-rev588-g7edc40fee-master
Related vulnerabilities
Out-of-bounds Read w bibliotece GPAC — odczyt pamięci i awaria aplikacji
Stack-based Buffer Overflow w GPAC — możliwe RCE bez uwierzytelnienia
Heap Buffer Overflow w GPAC/MP4Box — RCE i DoS przez klasę str2ulong
NULL Pointer Dereference in GitHub repository gpac/gpac prior to 2.2.2.
Out-of-bounds Read in GitHub repository gpac/gpac prior to 2.2.2.