Heap Overflow in GPAC ISOBMFF Parser

Executive Summary

This vulnerability exists in GPAC up to version 26.02.0, specifically in the ISOBMFF Parser component's decompression function. An attacker can craft a small compressed media file that, when decompressed, expands to a very large size, causing excessive memory consumption.

The root cause is that the decompression function inflates compressed data into a dynamically growing heap buffer without enforcing a maximum output size or compression ratio limit. This allows a small input (e.g., 64 KB) to expand to a much larger size (e.g., 64 MB), which can be exploited locally.

The vulnerability is known as an uncontrolled decompression or zip bomb vulnerability, and it affects applications processing user-supplied media files using GPAC-based tools.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to denial of service by causing excessive memory consumption during decompression of maliciously crafted media files.

If an attacker provides a specially crafted compressed file, the decompression process can consume large amounts of memory, potentially crashing the application or degrading system performance.

This impact is local, meaning the attack must be launched on a system where the vulnerable GPAC software is running and processing the malicious file.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves decompression of crafted media files that expand to very large sizes, causing excessive memory consumption and potential denial of service. Detection involves monitoring for unusually large decompression operations or processing of suspicious media files that could trigger this behavior.

Since the attack requires local execution and involves processing compressed media files with GPAC-based tools, detection can focus on identifying such files or monitoring the behavior of GPAC processes for abnormal memory usage or decompression activity.

Specific commands are not provided in the resources, but general approaches include:

• Monitoring GPAC process memory usage with tools like `top`, `htop`, or `ps` to detect spikes during media file processing.
• Using file inspection commands such as `file` or `mediainfo` to identify suspicious or unusually small compressed media files that could expand excessively.
• Employing system call tracing tools like `strace` on GPAC processes to observe decompression-related calls and detect abnormal behavior.
• Implementing custom scripts to check for media files with compressed payloads that decompress to sizes exceeding a safe multiplier (e.g., 32 times the input size).

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to apply the patch identified by commit 297f2d8d1f493d8b241330533cd47f7da758aeb3, which introduces a maximum multiplier limit for decompression output size to prevent zip bomb attacks.

This patch enforces a limit where the decompressed data cannot exceed 32 times the size of the compressed input, stopping decompression with an error if this threshold is surpassed.

Additional immediate steps include:

• Update GPAC to version including the patch or later versions where this fix is integrated.
• Avoid processing untrusted or suspicious media files with GPAC tools until patched.
• Monitor system resources during media file processing to detect and stop potential exploitation attempts.

Useful 0 Not Useful 0

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Useful 0 Not Useful 0