CVE-2025-55664
Description
A heap buffer overflow in GPAC MP4Box v2.4 allows attackers to cause a Denial of Service via a crafted MP4 file containing corrupted MPEG-2 TS packet structures.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A heap buffer overflow in GPAC MP4Box v2.4 allows attackers to cause a Denial of Service via a crafted MP4 file containing corrupted MPEG-2 TS packet structures.
Vulnerability
A heap buffer overflow exists in the m2tsdmx_send_packet function within filters/dmx_m2ts.c of GPAC MP4Box v2.4. The vulnerability occurs because the MPEG-2 TS demuxer fails to properly validate data sizes before performing memory copy operations when processing files with corrupted packet structures, allowing an invalid copy size to be triggered.
Exploitation
An attacker can exploit this vulnerability by providing a specially crafted MP4 file to the MP4Box utility. No specific network position or authentication is required; the attacker simply needs the victim to process the malicious file, which triggers the overflow during the demuxing process.
Impact
Successful exploitation of this vulnerability leads to a Denial of Service (DoS) condition, potentially causing the application to crash. The scope of the compromise is limited to the process executing the MP4Box utility.
Mitigation
This issue was addressed in the GPAC repository via commit 9bd6a72c9efc0513dfd33b87498afc7658dabd26 [2]. Users are advised to update to the latest version of GPAC to incorporate the necessary input validation fixes [1].
AI Insight generated on Jun 1, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
11 file changed · +1 −0
src/filters/dmx_m2ts.c+1 −0 modified@@ -869,6 +869,7 @@ static void m2tsdmx_send_packet(GF_M2TSDmxCtx *ctx, GF_M2TS_PES_PCK *pck) //skip dataID and stream ID if (pck->stream->stream_type==GF_M2TS_DVB_SUBTITLE) { + if (len<=2) return; ptr+=2; len-=2; }
Vulnerability mechanics
Root cause
"Missing length validation in m2tsdmx_send_packet allows a memcpy with an attacker-controlled oversized size, leading to a heap-buffer-overflow."
Attack vector
An attacker supplies a crafted MPEG-2 TS file with corrupted packet structures. The demuxer fails to validate data sizes before a `memcpy` operation in `m2tsdmx_send_packet`, allowing an invalid large copy size (4294967295 bytes) to be used. This triggers a heap-buffer-overflow read, causing a Denial of Service (DoS). The precondition is that the victim opens the malicious file with GPAC MP4Box (e.g., via `./MP4Box -dash 100`).
Affected code
The heap-buffer-overflow occurs in the `m2tsdmx_send_packet` function in `filters/dmx_m2ts.c` at line 916. The call chain originates from `gf_m2ts_process_pes` in `media_tools/mpegts.c` and reaches `m2tsdmx_send_packet` via `m2tsdmx_on_event`.
What the fix does
The patch adds a single guard `if (len<=2) return;` before the DVB subtitle branch in `m2tsdmx_send_packet`. This prevents the function from proceeding with a zero or negative length, which would otherwise cause an out-of-bounds `memcpy` when the packet data is undersized. The fix ensures that packets with insufficient payload are silently skipped rather than copied.
Preconditions
- inputThe attacker must supply a crafted MPEG-2 TS file that triggers the invalid size calculation in m2tsdmx_send_packet.
- configThe victim must run GPAC MP4Box with the crafted file (e.g., using the -dash option).
Generated on Jun 1, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3News mentions
0No linked articles in our index yet.