5N1P3R001

**Name of the Vulnerable Software and Affected Versions** GPAC version 1.0.1 **Description** The issue is related to a memory leak in the `gf isom oinf read entry` function of the MP4Box component in the GPAC multimedia platform. This leak is caused by incorrect memory deallocation before removing the last reference, allowing a remote attacker to access confidential data using a specially crafted file. **Recommendations** For GPAC version 1.0.1, consider restricting access to the `gf isom oinf read entry` function until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** GPAC version 1.0.1 **Description** The issue is related to the DumpTrackInfo function in the MP4Box command, which allows attackers to cause a denial of service via a crafted file. This is due to a NULL pointer dereference error. The exploitation of this issue can be done remotely. **Recommendations** For GPAC version 1.0.1, consider disabling the DumpTrackInfo function as a temporary workaround until a patch is available. Restrict access to the MP4Box command to minimize the risk of exploitation. Avoid using crafted files that could trigger the NULL pointer dereference error.

**Name of the Vulnerable Software and Affected Versions** GPAC version 1.0.1 **Description** The issue is related to a heap buffer overflow in the `URL GetProtocolType` function of the MP4Box command in the GPAC multimedia platform. This can be exploited by a remote attacker using a specially crafted file, potentially leading to a denial of service or the execution of arbitrary code. **Recommendations** For GPAC version 1.0.1, consider disabling the `URL GetProtocolType` function as a temporary workaround until a patch is available. Restrict access to the MP4Box command to minimize the risk of exploitation. Avoid using crafted files that could trigger the heap buffer overflow in the `URL GetProtocolType` function. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** GPAC version 1.0.1 **Description** The issue is related to a memory leak in the `afra box read` function in MP4Box, a component of the GPAC multimedia platform. This allows attackers to read memory via a crafted file, potentially giving them access to confidential data. The exploitation of this issue can be done remotely. **Recommendations** For GPAC version 1.0.1, consider disabling the `afra box read` function until a patch is available to prevent potential memory leaks and unauthorized access to data. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** GPAC version 1.0.1 **Description** The issue is related to a memory leak in the `infe box read` function of the MP4Box component in the GPAC multimedia platform. This allows attackers to read memory via a crafted file, potentially giving them access to confidential data. The vulnerability can be exploited by a remote attacker using a specially created file. **Recommendations** For GPAC version 1.0.1, consider disabling the `infe box read` function until a patch is available to prevent potential memory leaks and unauthorized access to data. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** GPAC version 1.0.1 **Description** The issue is related to a memory leak in the `gf isom get root od` function of the MP4Box component in the GPAC multimedia platform. This allows a remote attacker to access confidential data by using a specially crafted file. The memory leak enables attackers to read memory, potentially leading to unauthorized access to sensitive information. **Recommendations** For GPAC version 1.0.1, consider updating to a newer version that contains a fix for this issue, as using a crafted file can lead to memory leaks and unauthorized data access. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** GPAC version 1.0.1 **Description** The issue is related to a stack buffer overflow in the `hevc parse vps extension` function in MP4Box, a component of the GPAC multimedia platform. This allows attackers to cause a denial of service or execute arbitrary code via a crafted file. The vulnerability can be exploited by a remote attacker to access confidential data, compromise data integrity, and cause a denial of service using a specially crafted file. **Recommendations** For GPAC version 1.0.1, consider disabling the `hevc parse vps extension` function until a patch is available to prevent potential exploitation. Restrict access to crafted files that could trigger the buffer overflow to minimize the risk of denial of service or arbitrary code execution. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** GPAC version 1.0.1 **Description** A buffer overflow issue exists in the tenc box read function in MP4Box, allowing attackers to potentially cause a denial of service or execute arbitrary code via a crafted file. This issue is related to invalid IV sizes. **Recommendations** For GPAC version 1.0.1, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** GPAC version 1.0.1 **Description** A buffer overflow issue exists in the `abst box read` function within MP4Box in GPAC, allowing attackers to potentially cause a denial of service or execute arbitrary code by using a crafted file. No information is available regarding the estimated number of potentially affected devices or real-world incidents where this issue was exploited. **Recommendations** For GPAC version 1.0.1, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** GPAC version 1.0.1 **Description** The issue allows attackers to read memory via a crafted file in the MP4Box command, specifically through the `gf hinter track new` function. **Recommendations** For GPAC version 1.0.1, consider restricting the use of the `gf hinter track new` function until a patch is available. Avoid using the MP4Box command with crafted files to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** GPAC version 1.0.1 **Description** The issue allows attackers to cause a denial of service, specifically a NULL pointer dereference, by using a crafted file with the MP4Box command. This is related to the MergeTrack function. **Recommendations** For GPAC version 1.0.1, consider avoiding the use of the MergeTrack function until a patch is available. As a temporary workaround, restrict the use of crafted files with the MP4Box command to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** GPAC version 1.0.1 **Description** The issue allows attackers to cause a denial of service, specifically a NULL pointer dereference, by using a crafted file with the MP4Box command. This is due to a problem in the `gf isom set extraction slc` function. **Recommendations** For GPAC version 1.0.1, consider avoiding the use of crafted files with the MP4Box command until a patch is available. As a temporary workaround, restrict the use of the `gf isom set extraction slc` function to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** GPAC version 1.0.1 **Description** A memory leak in the stbl GetSampleInfos function in MP4Box allows attackers to read memory via a crafted file. **Recommendations** For GPAC version 1.0.1, at the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** GPAC version 1.0.1 **Description** The issue allows attackers to cause a denial of service, specifically a NULL pointer dereference, by using a crafted file with the MP4Box command. This is due to a problem in the `AV1 DuplicateConfig` function. **Recommendations** For GPAC version 1.0.1, consider avoiding the use of crafted files with the MP4Box command until a patch is available. As a temporary workaround, restrict the execution of the `AV1 DuplicateConfig` function to prevent potential denial of service attacks.