CVE-2025-55642
Description
GPAC MP4Box before commit f87b306 is vulnerable to a divide-by-zero in avidmx_process() when processing crafted AVI files with zero declared frames, causing a denial of service.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
GPAC MP4Box before commit f87b306 is vulnerable to a divide-by-zero in avidmx_process() when processing crafted AVI files with zero declared frames, causing a denial of service.
Vulnerability
The vulnerability resides in the avidmx_process() function within filters/dmx_avi.c. When MP4Box processes a crafted AVI-like media file that declares a frame count of zero (e.g., 0/256), the function does not validate this value before using it as a divisor during bitrate computation. This affects GPAC MP4Box versions prior to commit f87b30611380e4dcd03cd4dd9ac553c0ec336826, including the v2.4 release [1].
Exploitation
An attacker can craft an AVI file with a zero frame count declaration. To exploit the vulnerability, the attacker must deliver this file to a user and persuade them to process it with MP4Box (e.g., via mp4box -dash or similar command). No authentication is required. Upon processing, the avidmx_process() function performs a division by zero, causing a floating-point exception [1].
Impact
Successful exploitation leads to a denial of service (DoS) condition: MP4Box terminates abnormally due to a floating-point exception (SIGFPE) triggered by the division by zero. No confidentiality or integrity impact is expected. The crash is limited to the processing of the malicious file [1].
Mitigation
The issue is fixed in commit f87b30611380e4dcd03cd4dd9ac553c0ec336826. Users of GPAC MP4Box should update to a version that includes this commit. As of the publication date, no other workarounds are documented. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog [1].
AI Insight generated on Jun 15, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing validation of frame count before using it as a divisor in bitrate computation leads to a divide-by-zero floating-point exception."
Attack vector
An attacker provides a crafted AVI-like media file with an invalid frame-count metadata (e.g., a 0/256 frame declaration) to MP4Box. When the Dasher computes the bitrate from the bitstream because no bitrate property was assigned to the PID, the division by the invalid frame count triggers an uncaught floating-point exception. No authentication or special privileges are required beyond the ability to supply the crafted file [ref_id=1].
Affected code
The vulnerability resides in `avidmx_process()` within `filters/dmx_avi.c` (line 639). The function fails to validate that the frame count is non-zero before using it as a divisor during bitrate computation, which is triggered via `gf_dasher_process()` when MP4Box performs DASH segmentation on a crafted AVI-like input.
What the fix does
The fix commit `f87b30611380e4dcd03cd4dd9ac553c0ec336826` adds a validation check in `avidmx_process()` to ensure the frame count is non-zero before it is used as a divisor in bitrate computation. This prevents the floating-point exception by either skipping the division or returning an error when the frame count is invalid.
Preconditions
- inputThe attacker must supply a crafted AVI-like file with a zero frame count declaration.
- configThe victim must run MP4Box with the `-dash` option on the crafted file.
Generated on Jun 15, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.