CVE-2021-21837: 
NixOS vulnerability analysis and mitigation

Multiple exploitable integer overflow vulnerabilities exist within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1. A specially crafted MPEG-4 input can cause an integer overflow due to unchecked arithmetic resulting in a heap-based buffer overflow that causes memory corruption. An attacker can convince a user to open a video to trigger this vulnerability (Talos Report).

The vulnerability exists in the MPEG-4 decoding functionality where the library processes atoms from the container. When parsing various atom types, the library reads fields from the atom's contents and uses them to calculate boundaries of fields within the rest of the atom. The fields are explicitly trusted and used to calculate heap-buffer sizes, which can result in integer overflow or integer truncation leading to undersized heap allocations. This causes heap-based buffer overflow when reading atom contents into the undersized buffer. The vulnerability has a CVSSv3 score of 8.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) and is classified as CWE-680 - Integer Overflow to Buffer Overflow (Talos Report).

A successful exploit of this vulnerability can result in code execution under the context of the library. The vulnerability affects the integrity of memory handling and can lead to arbitrary code execution when a specially crafted MPEG-4 file is processed (Talos Report).

The vulnerability has been fixed in version 1.0.1+dfsg1-4+deb11u1 for Debian bullseye. The oldstable distribution (buster) is not affected by this vulnerability. Users are recommended to upgrade their gpac packages to the fixed version (Debian Advisory).