Product:   GPAC (MP4Box)
Affected:  gpac/gpac prior to fix commit 
(ff8249a407685d00ceb5f4d2a798b9cad195140e)
CVE:       CVE-2025-55659
CWE:       CWE-476 (NULL Pointer Dereference)
CVSS 3.1:  4.3 MEDIUM (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)
Reporter:  sigdevel <https://infosec.exchange/@sigdevel>

Description:
  When MP4Box splits/remuxes a crafted, truncated MP4 file, invalid
  negative-timestamp handling during range estimation can leave the
  composition-time-to-sample entries pointer in an invalid or NULL
  state. ctts_box_write() in isomedia/box_code_base.c does not check
  this pointer before dereferencing it while writing the ctts box
  during final muxing.

  AddressSanitizer reports a SEGV caused by a READ memory access at
  address 0x000000000000 (the zero page) at isomedia/box_code_base.c:464,
  reached via the box-writing chain (gf_isom_box_write_listing /
  gf_isom_box_write) while MP4Box closes the output file.

  Crash is reproducible on the current master branch at the time of
  discovery. No authentication or special privileges required beyond
  ability to provide a crafted file.

Reproduction:
  -Build-opts: CC="gcc -fsanitize=address -g" CXX="g++ -fsanitize=address -g" ;
  -Command: ./MP4Box -add 5_poc.mp4 -new ./test -split-size 500

Asan-log:
==1926241==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 
0x7faf284d6c18 bp 0x511000015bc0 sp 0x7fff5c0b2210 T0)
==1926241==The signal is caused by a READ memory access.
    #0 0x7faf284d6c18 in ctts_box_write isomedia/box_code_base.c:464
    #1 0x7faf28565469 in gf_isom_box_write_listing isomedia/box_funcs.c:2154
    #2 0x7faf28565469 in gf_isom_box_write isomedia/box_funcs.c:2204

PoC:
  https://github.com/sigdevel/pocs/blob/main/res/gpac/MP4Box/5/5_poc.mp4

References:
  https://github.com/gpac/gpac/issues/3156
  https://www.cve.org/CVERecord?id=CVE-2025-55659
  https://infosec.exchange/@sigdevel/116710743410087676


——
Best regards, Alexander A. Shvedov
https://github.com/sigdevel

Reply via email to