Buffer Overflow Affecting gpac4ios package, versions >=0.0.0


0.0
high
  • Attack Complexity

    Low

  • Availability

    High

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • snyk-id

    SNYK-COCOAPODS-GPAC4IOS-1567328

  • published

    22 Aug 2021

  • disclosed

    19 Aug 2021

  • credit

    Cisco Talos

How to fix?

There is no fixed version for GPAC4iOS.

Overview

GPAC4iOS is a GPAC4iOS is the libgpac library packaged for iOS as a Pod. It is preconfigured and tested to do a single task: create a MP4 file from a raw H.264 and an audio track.

Affected versions of this package are vulnerable to Buffer Overflow. The implementation of the parser used for the “Xtra” FOURCC code is handled by the following function. First the function will read a 32-bit signed integer for the tag size, and then at line 21 will read a 32-bit unsigned integer in order to determine the length of the name within the atom. At line 22, the sum of the unsigned 32-bit name size and the value 1 will be used to allocate a buffer for the string that is to be read. Due to the addition of a 32-bit unsigned integer and any number other than 0 resulting in a value that is larger than 32-bits, this addition can result in an integer overflow. If the 32-bit size is set to UINT_MAX, the addition will result in the gf_malloc function returning a zero-sized buffer. Afterwards at line 23, the original name size will be used to read a string from the atom into a zero-sized buffer and then null-terminate it. As the buffer that was returned is zero-sized, this will result in a large buffer overflow, followed by a relative write for the null-termination.