CVE-2021-21850

Name of the Vulnerable Software and Affected Versions GPAC Project on Advanced Content library version 1.0.1

Description An exploitable integer overflow vulnerability exists within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library. A specially crafted MPEG-4 input can cause an integer overflow when the library encounters an atom using the “trun” FOURCC code due to unchecked arithmetic, resulting in a heap-based buffer overflow that causes memory corruption. An attacker can convince a user to open a video to trigger this vulnerability. The vulnerability is related to incorrect checking of the result of an arithmetic operation, which can allow a remote attacker to access confidential data, disrupt their integrity, and cause a denial of service.

Recommendations For GPAC Project on Advanced Content library version 1.0.1, consider disabling the MPEG-4 decoding functionality until a patch is available. Restrict access to videos that could potentially trigger the vulnerability to minimize the risk of exploitation. Avoid using the “trun” FOURCC code in the affected library until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.