VYPR
← All advisories
Medium severity5.5NVD Advisory· Published Jun 1, 2026· Updated Jun 1, 2026

CVE-2025-60483

CVE-2025-60483

Description

A NULL pointer dereference in GPAC's MP4Box allows attackers to cause a Denial of Service via a crafted AC4 file.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A NULL pointer dereference in GPAC's MP4Box allows attackers to cause a Denial of Service via a crafted AC4 file.

Vulnerability

A NULL pointer dereference vulnerability exists in the gf_ac4_pres_b_4_back_channels_present function within media_tools/av_parsers.c of GPAC Project/MP4Box. The issue occurs when the parser fails to validate substream group references before accessing presentation data, specifically when an invalid group index is provided in a crafted AC4 file. This vulnerability affects versions prior to 26.02 [1], [2].

Exploitation

An attacker can trigger this vulnerability by providing a specially crafted AC4 media file to the MP4Box utility. No special authentication or network access is required beyond the ability to supply the malicious file to the application for processing, such as during a transcoding or analysis task [2], [3].

Impact

Successful exploitation of this vulnerability results in a segmentation fault, leading to a Denial of Service (DoS) of the MP4Box process. This causes the application to crash, potentially disrupting services that rely on GPAC for media processing [2].

Mitigation

This vulnerability is addressed in GPAC version 26.02 and later. Users are advised to update their installations to the latest version to incorporate the necessary validation checks [1].

References
  1. more ac4 and fuzzing fixes: · gpac/gpac@13eb5b7
  2. [security] media_tools/av_parsers.c:15703 null-pointer-dereference in gf_ac4_pres_b_4_back_channels_present
  3. pocs/res/gpac/MP4Box/49/README.md at main · sigdevel/pocs

AI Insight generated on Jun 1, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

1
13eb5b76560a

more ac4 and fuzzing fixes:

https://github.com/gpac/gpacAurelien DavidJul 16, 2025via nvd-ref
commit
4 files changed · +8 13
  • src/filter_core/filter_pid.c+1 1 modified
    @@ -9042,7 +9042,7 @@ GF_Err gf_filter_pid_resolve_file_template_ex(GF_FilterPid *pid, const char szTe
 				prop_val = gf_filter_pid_get_property_first(pid, GF_PROP_PID_FILEALIAS);
 				if (!prop_val) prop_val = gf_filter_pid_get_property_first(pid, GF_PROP_PID_FILEPATH);
 				//if filepath is a gmem:// wrapped, don't use it !
-				if (prop_val && !strncmp(prop_val->value.string, "gmem://", 7))
+				if (prop_val && prop_val->value.string && !strncmp(prop_val->value.string, "gmem://", 7))
 					prop_val = NULL;
 
 				if (!prop_val)
  • src/filters/load_text.c+1 1 modified
    @@ -738,7 +738,7 @@ static void txtin_process_send_text_sample(GF_TXTIn *ctx, GF_TextSample *txt_sam
 		ctx->seek_state = 0;
 	}
 
-	if (!ctx->pid_framed && (ctx->stxtmod <=STXT_MODE_SBTT)) {
+	if (!ctx->pid_framed && (ctx->stxtmod <=STXT_MODE_SBTT) && txt_samp->text && txt_samp->len) {
 		dst_pck = gf_filter_pck_new_alloc(ctx->opid, txt_samp->len, &pck_data);
 		if (!dst_pck) return;
 		memcpy(pck_data, txt_samp->text, txt_samp->len);
  • src/media_tools/av_parsers.c+4 1 modified
    @@ -15035,7 +15035,8 @@ static Bool gf_ac4_oamd_common_data(GF_BitStream *bs)
 		gf_ac4_bed_render_info(bs);
 
 		bits_used = (u32) (gf_bs_get_bit_offset(bs) - pos);
-		gf_bs_read_int(bs, add_data_bytes * 8 - bits_used);
+		u32 bits_to_read = MIN( (u32)(8*gf_bs_available(bs)), (u32)(add_data_bytes * 8 - bits_used));
+		gf_bs_read_int(bs, MIN(32, bits_to_read));
 	}
 	return GF_TRUE;
 }
@@ -15700,6 +15701,7 @@ static u8 gf_ac4_pres_b_4_back_channels_present(GF_AC4PresentationV1 *p)
 	// ETSI TS 103 190-2 V1.2.1 (2018-02) E.10.12
     for (i = 0; i < p->n_substream_groups; i ++){
 		group = gf_list_get(p->substream_groups, i);
+		if (!group) continue;
         for (j = 0; j < group->n_lf_substreams; j++){
 			substream = gf_list_get(group->substreams, j);
             mask |= substream->b_4_back_channels_present;
@@ -15718,6 +15720,7 @@ static u8 gf_ac4_pres_top_channel_pairs(GF_AC4PresentationV1 *p)
 	// ETSI TS 103 190-2 V1.2.1 (2018-02) 6.3.3.1.30 Table 94
     for (i = 0; i < p->n_substream_groups; i ++){
 		group = gf_list_get(p->substream_groups, i);
+		if (!group) continue;
         for (j = 0; j < group->n_lf_substreams; j++){
 			substream = gf_list_get(group->substreams, j);
             if (tmp_pres_top_channel_pairs < substream->top_channels_present) {
  • src/odf/descriptors.c+2 10 modified
    @@ -2176,6 +2176,7 @@ GF_Err gf_odf_ac4_cfg_dsi_v1(GF_AC4StreamInfo *dsi, GF_BitStream *bs, u64 *size,
 
 			for (i = 0; i < dsi->n_presentations; i++) {
 				p = gf_list_get(dsi->presentations, i);
+				if (!p) continue;
 				if (p->presentation_version == 2) {
 					GF_SAFEALLOC(imsp, GF_AC4PresentationV1);
 					gf_odf_ac4_presentation_deep_copy(imsp, p);
@@ -2417,7 +2418,7 @@ void gf_odf_ac4_presentation_deep_copy(GF_AC4PresentationV1 *pres_dst, GF_AC4Pre
 GF_EXPORT
 void gf_odf_ac4_cfg_clean_list(GF_AC4Config *cfg)
 {
-	u32 i, s;
+	u32 s;
 	GF_AC4PresentationV1 *pres;
 	GF_AC4SubStreamGroupV1 *group;
 	GF_AC4SubStream *subs;
@@ -2457,15 +2458,6 @@ void gf_odf_ac4_cfg_clean_list(GF_AC4Config *cfg)
 				}
 				gf_list_del(pres->substream_groups);
 
-				// remove potential duplicates of substream_groups
-				for (i=0; i<gf_list_count(cfg->stream.presentations); i++) {
-					GF_AC4PresentationV1* pres2 = gf_list_get(cfg->stream.presentations, i);
-					if (pres2 && pres2->substream_groups == pres->substream_groups) {
-						pres2->substream_groups = NULL;
-					}
-
-				}
-
 			}
 			gf_free(pres);
 		}

Vulnerability mechanics

Root cause

"Missing NULL-pointer validation when iterating substream group list entries in AC4 presentation parsing."

Attack vector

An attacker supplies a crafted AC4 file that references a non-existent substream group index (e.g., index 4 when only 0–3 are valid) [ref_id=2]. When MP4Box processes this file (e.g., via `-dash`), the parser calls `gf_ac4_pres_b_4_back_channels_present`, which dereferences the NULL group pointer, causing a segmentation fault [ref_id=2]. The attack requires no authentication and is triggered simply by opening the malicious file.

Affected code

The vulnerability resides in `gf_ac4_pres_b_4_back_channels_present` at `media_tools/av_parsers.c:15703` [ref_id=2]. The function iterates over `p->substream_groups` without checking whether `gf_list_get()` returns a NULL pointer, leading to a null-pointer dereference when a crafted AC4 file supplies an invalid substream group index [ref_id=1][ref_id=2].

What the fix does

The patch adds a `if (!group) continue;` guard in `gf_ac4_pres_b_4_back_channels_present` and the related `gf_ac4_pres_top_channel_pairs` function, skipping NULL substream group entries instead of dereferencing them [ref_id=1]. It also adds a similar NULL check for presentation pointers in `gf_odf_ac4_cfg_dsi_v1` and removes a duplicate-cleanup loop that could leave dangling pointers [ref_id=1]. These changes prevent the null-pointer dereference by validating that list entries are non-NULL before accessing their fields.

Preconditions

  • inputAttacker must supply a crafted AC4 file with an invalid substream group index.
  • configVictim must process the file with GPAC/MP4Box (e.g., dash segmentation).

Generated on Jun 1, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.