Headline
CVE-2021-40570: fixed #1899 · gpac/gpac@04dbf08
The binary MP4Box in Gpac 1.0.1 has a double-free vulnerability in the avc_compute_poc function in av_parsers.c, which allows attackers to cause a denial of service, even code execution and escalation of privileges.
@@ -5198,6 +5198,7 @@ static s32 gf_avc_read_sps_bs_internal(GF_BitStream *bs, AVCState *avc, u32 subs
sps->offset_for_top_to_bottom_field = gf_bs_read_se_log(bs, “offset_for_top_to_bottom_field”);
sps->poc_cycle_length = gf_bs_read_ue_log(bs, “poc_cycle_length”);
if (sps->poc_cycle_length > GF_ARRAY_LENGTH(sps->offset_for_ref_frame)) {
sps->poc_cycle_length = 255;
GF_LOG(GF_LOG_ERROR, GF_LOG_CODING, ("[avc-h264] offset_for_ref_frame overflow from poc_cycle_length\n"));
return -1;
}