There is a integer overflow in media_tools/av_parsers.c:5349, function gf_avc_read_pps_bs_internal.
Below code: pps_id = gf_bs_read_ue_log(bs, "pps_id"); if (pps_id >= 255) { return -1; } pps = &avc->pps[pps_id]; pps->id = pps_id;
pps_id may be a negative number, so will not return.
However, avc->pps only has 255 unit, so overflow, which results a crash .
More than, because of the pps->id = pps_id, the vuln may lead to an any addr write.
There is a integer overflow in
media_tools/av_parsers.c:5349, functiongf_avc_read_pps_bs_internal.Below code:
pps_id = gf_bs_read_ue_log(bs, "pps_id"); if (pps_id >= 255) { return -1; } pps = &avc->pps[pps_id]; pps->id = pps_id;pps_id may be a negative number, so will not return.
However, avc->pps only has 255 unit, so overflow, which results a crash .
More than, because of the
pps->id = pps_id, the vuln may lead to an any addr write.In command Line:

gpac -info bug3
In gdb:

The crafted file is in the attached zip:
bug3.zip
The text was updated successfully, but these errors were encountered: