CVE-2021-21846

Name of the Vulnerable Software and Affected Versions GPAC Project on Advanced Content library version 1.0.1

Description The issue is related to multiple exploitable integer overflow vulnerabilities within the MPEG-4 decoding functionality. A specially crafted MPEG-4 input in the "stsz" decoder can cause an integer overflow due to unchecked arithmetic, resulting in a heap-based buffer overflow that causes memory corruption. An attacker can convince a user to open a video to trigger this issue. The vulnerability allows a remote attacker to access confidential data, compromise its integrity, and cause a denial of service.

Recommendations For GPAC Project on Advanced Content library version 1.0.1, consider disabling the "stsz" decoder functionality until a patch is available to prevent exploitation. Restrict access to the MPEG-4 decoding functionality to minimize the risk of memory corruption. Avoid using the vulnerable library to decode MPEG-4 videos until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this issue.