CVE-2021-21841: 
NixOS vulnerability analysis and mitigation

An exploitable integer overflow vulnerability exists within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1. The vulnerability was discovered and disclosed in August 2021. When reading an atom using the "sbgp" FOURCC code, the function can experience an integer overflow due to unchecked arithmetic resulting in a heap-based buffer overflow that causes memory corruption (Talos Intelligence).

The vulnerability occurs in the MPEG-4 decoding functionality when parsing atoms within the container. The library reads fields from the atom's contents and uses them to calculate boundaries, explicitly trusting these fields to calculate heap-buffer sizes. Due to unchecked arithmetic, this can result in an integer overflow or truncation leading to an undersized heap allocation. When the library later attempts to read the atom's contents into this buffer, a heap-based buffer overflow occurs. The vulnerability has a CVSS v3.0 score of 8.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) (Talos Intelligence).

A successful exploit could allow an attacker to cause memory corruption leading to code execution under the context of the library. The vulnerability affects confidentiality, integrity and availability with high severity ratings (Talos Intelligence).

The vulnerability has been fixed in GPAC version 1.0.1+dfsg1-4+deb11u1 for Debian's stable distribution (bullseye). Users are recommended to upgrade their GPAC packages to the patched version (Debian Security).