A vulnerability in the gf_text_get_utf8_line
function of GPAC could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system.
The vulnerability is due to improper bounds checks on the szLineConv
parameter in the gf_text_get_utf8_lin
function, as defined in the media_tools/text_import.c
source code file of the affected software. An attacker could exploit this vulnerability by persuading a user to execute the MP4Box
command on a multimedia file that submits malicious input to the targeted system. A successful exploit could trigger an out-of-bounds write condition that the attacker could use to execute arbitrary code or cause a denial of service (DoS) condition.
Proof-of-concept (PoC) code that demonstrates an exploit of this vulnerability is publicly available.
GPAC has confirmed the vulnerability and released software updates.