VYPR
← All advisories
Unrated severityNVD Advisory· Published Jun 3, 2026

CVE-2025-60477

CVE-2025-60477

Description

GPAC MP4Box before 26.02.0 suffers from a NULL pointer dereference in gf_filter_pid_resolve_file_template_ex, leading to a Denial of Service.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

GPAC MP4Box before 26.02.0 suffers from a NULL pointer dereference in gf_filter_pid_resolve_file_template_ex, leading to a Denial of Service.

Vulnerability

A NULL pointer dereference vulnerability exists in the gf_filter_pid_resolve_file_template_ex function within filter_core/filter_pid.c in GPAC Project/MP4Box before version 26.02.0. This issue occurs when processing files with specially crafted metadata containing special characters, causing the function to attempt a strncmp() operation on an uninitialized NULL pointer.

Exploitation

An attacker can trigger this vulnerability by supplying a crafted file to MP4Box. The reproduction steps involve executing ./MP4Box -dash 100 48_gf_filter_pid_resolve_file_template_ex_filter_core_filter_pid_c_9045 with a specially crafted input file that contains metadata leading to the NULL pointer dereference [1].

Impact

Successful exploitation of this vulnerability results in a Denial of Service (DoS) due to a segmentation fault caused by the NULL pointer dereference. This prevents the application from processing the crafted file.

Mitigation

The vulnerability was fixed in GPAC version 26.02.0. The fix involves adding a check for prop_val->value.string before performing the strncmp operation to prevent dereferencing a NULL pointer [2]. Users are advised to upgrade to a version of GPAC that includes this fix.

References
  1. [security] filter_core/filter_pid.c:9045 null-pointer-dereference in gf_filter_pid_resolve_file_template_ex
  2. more ac4 and fuzzing fixes: · gpac/gpac@13eb5b7

AI Insight generated on Jun 3, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

3

Patches

1
13eb5b76560a

more ac4 and fuzzing fixes:

https://github.com/gpac/gpacAurelien DavidJul 16, 2025via nvd-ref
commit
4 files changed · +8 13
  • src/filter_core/filter_pid.c+1 1 modified
    @@ -9042,7 +9042,7 @@ GF_Err gf_filter_pid_resolve_file_template_ex(GF_FilterPid *pid, const char szTe
 				prop_val = gf_filter_pid_get_property_first(pid, GF_PROP_PID_FILEALIAS);
 				if (!prop_val) prop_val = gf_filter_pid_get_property_first(pid, GF_PROP_PID_FILEPATH);
 				//if filepath is a gmem:// wrapped, don't use it !
-				if (prop_val && !strncmp(prop_val->value.string, "gmem://", 7))
+				if (prop_val && prop_val->value.string && !strncmp(prop_val->value.string, "gmem://", 7))
 					prop_val = NULL;
 
 				if (!prop_val)
  • src/filters/load_text.c+1 1 modified
    @@ -738,7 +738,7 @@ static void txtin_process_send_text_sample(GF_TXTIn *ctx, GF_TextSample *txt_sam
 		ctx->seek_state = 0;
 	}
 
-	if (!ctx->pid_framed && (ctx->stxtmod <=STXT_MODE_SBTT)) {
+	if (!ctx->pid_framed && (ctx->stxtmod <=STXT_MODE_SBTT) && txt_samp->text && txt_samp->len) {
 		dst_pck = gf_filter_pck_new_alloc(ctx->opid, txt_samp->len, &pck_data);
 		if (!dst_pck) return;
 		memcpy(pck_data, txt_samp->text, txt_samp->len);
  • src/media_tools/av_parsers.c+4 1 modified
    @@ -15035,7 +15035,8 @@ static Bool gf_ac4_oamd_common_data(GF_BitStream *bs)
 		gf_ac4_bed_render_info(bs);
 
 		bits_used = (u32) (gf_bs_get_bit_offset(bs) - pos);
-		gf_bs_read_int(bs, add_data_bytes * 8 - bits_used);
+		u32 bits_to_read = MIN( (u32)(8*gf_bs_available(bs)), (u32)(add_data_bytes * 8 - bits_used));
+		gf_bs_read_int(bs, MIN(32, bits_to_read));
 	}
 	return GF_TRUE;
 }
@@ -15700,6 +15701,7 @@ static u8 gf_ac4_pres_b_4_back_channels_present(GF_AC4PresentationV1 *p)
 	// ETSI TS 103 190-2 V1.2.1 (2018-02) E.10.12
     for (i = 0; i < p->n_substream_groups; i ++){
 		group = gf_list_get(p->substream_groups, i);
+		if (!group) continue;
         for (j = 0; j < group->n_lf_substreams; j++){
 			substream = gf_list_get(group->substreams, j);
             mask |= substream->b_4_back_channels_present;
@@ -15718,6 +15720,7 @@ static u8 gf_ac4_pres_top_channel_pairs(GF_AC4PresentationV1 *p)
 	// ETSI TS 103 190-2 V1.2.1 (2018-02) 6.3.3.1.30 Table 94
     for (i = 0; i < p->n_substream_groups; i ++){
 		group = gf_list_get(p->substream_groups, i);
+		if (!group) continue;
         for (j = 0; j < group->n_lf_substreams; j++){
 			substream = gf_list_get(group->substreams, j);
             if (tmp_pres_top_channel_pairs < substream->top_channels_present) {
  • src/odf/descriptors.c+2 10 modified
    @@ -2176,6 +2176,7 @@ GF_Err gf_odf_ac4_cfg_dsi_v1(GF_AC4StreamInfo *dsi, GF_BitStream *bs, u64 *size,
 
 			for (i = 0; i < dsi->n_presentations; i++) {
 				p = gf_list_get(dsi->presentations, i);
+				if (!p) continue;
 				if (p->presentation_version == 2) {
 					GF_SAFEALLOC(imsp, GF_AC4PresentationV1);
 					gf_odf_ac4_presentation_deep_copy(imsp, p);
@@ -2417,7 +2418,7 @@ void gf_odf_ac4_presentation_deep_copy(GF_AC4PresentationV1 *pres_dst, GF_AC4Pre
 GF_EXPORT
 void gf_odf_ac4_cfg_clean_list(GF_AC4Config *cfg)
 {
-	u32 i, s;
+	u32 s;
 	GF_AC4PresentationV1 *pres;
 	GF_AC4SubStreamGroupV1 *group;
 	GF_AC4SubStream *subs;
@@ -2457,15 +2458,6 @@ void gf_odf_ac4_cfg_clean_list(GF_AC4Config *cfg)
 				}
 				gf_list_del(pres->substream_groups);
 
-				// remove potential duplicates of substream_groups
-				for (i=0; i<gf_list_count(cfg->stream.presentations); i++) {
-					GF_AC4PresentationV1* pres2 = gf_list_get(cfg->stream.presentations, i);
-					if (pres2 && pres2->substream_groups == pres->substream_groups) {
-						pres2->substream_groups = NULL;
-					}
-
-				}
-
 			}
 			gf_free(pres);
 		}

Vulnerability mechanics

Root cause

"A NULL pointer dereference occurs in gf_filter_pid_resolve_file_template_ex when processing specially crafted metadata."

Attack vector

An attacker can trigger a NULL pointer dereference by supplying a crafted file to the MP4Box application. The function `gf_filter_pid_resolve_file_template_ex` attempts a `strncmp()` operation on an uninitialized NULL pointer when processing files with specially crafted metadata containing special characters, leading to a segmentation fault [ref_id=1]. This vulnerability can be exploited by providing a malformed input file to the MP4Box tool, for example, using the command `./MP4Box -dash 100 48_gf_filter_pid_resolve_file_template_ex_filter_core_filter_pid_c_9045` [ref_id=1].

Affected code

The vulnerability resides in the `gf_filter_pid_resolve_file_template_ex` function located in the file `filter_core/filter_pid.c` [ref_id=1]. The specific line of code affected is line 9045 in the original source [ref_id=1]. The fix is present in the commit `13eb5b76560aaf7813b865a2ad433258478e2695` [ref_id=2].

What the fix does

The patch addresses the NULL pointer dereference by adding a check for `prop_val->value.string` before calling `strncmp`. Previously, the code directly dereferenced `prop_val->value.string` without ensuring it was not NULL, which could lead to a crash if `prop_val` was valid but its string value was not initialized. The fix ensures that `strncmp` is only called when `prop_val` and its string value are valid, preventing the NULL pointer dereference [ref_id=2].

Preconditions

  • inputThe input file must contain specially crafted metadata with special characters.

Reproduction

Steps to reproduce the behavior: ./MP4Box -dash 100 48_gf_filter_pid_resolve_file_template_ex_filter_core_filter_pid_c_9045 [ref_id=1]

Generated on Jun 3, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.