CVE Vulnerabilities

CVE-2019-20631

Release of Invalid Pointer or Reference

Published: Mar 24, 2020 | Modified: Mar 25, 2020
CVSS 3.x
5.5
MEDIUM
Source:
NVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
CVSS 2.x
4.3 MEDIUM
AV:N/AC:M/Au:N/C:N/I:N/A:P
RedHat/V2
RedHat/V3
Ubuntu
LOW

An issue was discovered in libgpac.a in GPAC before 0.8.0, as demonstrated by MP4Box. It contains an invalid pointer dereference in gf_list_count in utils/list.c that can cause a denial of service via a crafted MP4 file.

Weakness

The product attempts to return a memory resource to the system, but it calls the wrong release function or calls the appropriate release function incorrectly.

Affected Software

Name Vendor Start Version End Version
Gpac Gpac * 0.8.0 (excluding)
Gpac Ubuntu bionic *
Gpac Ubuntu eoan *
Gpac Ubuntu groovy *
Gpac Ubuntu trusty *
Gpac Ubuntu trusty/esm *
Gpac Ubuntu xenial *

Extended Description

This weakness can take several forms, such as:

Potential Mitigations

  • Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
  • For example, glibc in Linux provides protection against free of invalid pointers.

References