Product: GPAC (MP4Box)
Affected: gpac/gpac prior to fix commit (see References)
CVE: CVE-2025-70116
CWE: CWE-476 (NULL Pointer Dereference)
CVSS 3.1: 4.3 MEDIUM (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)
Reporter: sigdevel <https://infosec.exchange/@sigdevel>
Description:
When MP4Box processes a truncated or malformed MP4 file containing
an unknown/invalid stsd (SampleDescription) box entry, codec
descriptor fields (codec name, MIME type, profile string) may not
be initialized and remain NULL. The function gf_media_map_esd() in
media_tools/isom_tools.c:1364 subsequently calls strlen() on one
of these NULL pointers without a prior NULL-check, triggering an
ASan SEGV / NULL pointer dereference.
Crash is reproducible on the current master branch at the time of
discovery. No authentication or special privileges required beyond
ability to provide a crafted file.
Reproduction:
-Build-opts: `CC="gcc -fsanitize=address -g" CXX="g++ -fsanitize=address -g"`
;
-Command: ./MP4Box -split-size 8000
68_gf_media_map_esd_media_tools_isom_tools_c_1364
Asan-log:
==3660073==ERROR: AddressSanitizer: SEGV on unknown address 0x00000000001d (pc
0x7fc0abb79c59 bp 0x7ffcecd750a0 sp 0x7ffcecd74848 T0)
==3660073==The signal is caused by a READ memory access.
==3660073==Hint: address points to the zero page.
#0 0x7fc0abb79c59 in __strlen_avx2_rtm
../sysdeps/x86_64/multiarch/strlen-avx2.S:76
#1 0x7fc0ada78ee9 in strlen
../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:389
#2 0x7fc0ac4e9ece in gf_media_map_esd media_tools/isom_tools.c:1364
PoC:
https://github.com/sigdevel/pocs/blob/main/res/gpac/MP4Box/68/68_gf_media_map_esd_media_tools_isom_tools_c_1364
References:
https://github.com/gpac/gpac/issues/3345
https://nvd.nist.gov/vuln/detail/CVE-2025-70116
https://infosec.exchange/@sigdevel/116624563750949972
---
Best regards,
Alexander A. Shvedov
https://github.com/sigdevel
