CVE-2021-21842: 
NixOS vulnerability analysis and mitigation

An exploitable integer overflow vulnerability exists within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1. A specially crafted MPEG-4 input can cause an integer overflow when processing an atom using the 'ssix' FOURCC code, due to unchecked arithmetic resulting in a heap-based buffer overflow that causes memory corruption. An attacker can convince a user to open a video to trigger this vulnerability (Talos Advisory).

The vulnerability occurs during the parsing of atoms within an MPEG-4 container. When processing an atom with the 'ssix' FOURCC code, the library performs unchecked arithmetic operations that can lead to an integer overflow. This overflow results in an undersized heap allocation, which subsequently causes a heap-based buffer overflow when attempting to read the atom's contents. The vulnerability has a CVSS v3.1 Base Score of 8.8 HIGH (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) (NVD, Talos Advisory).

A successful exploitation of this vulnerability could lead to code execution under the context of the library. The attacker could potentially achieve arbitrary code execution by convincing a user to open a specially crafted video file (Talos Advisory).

The vulnerability has been addressed in updated versions of the software. Debian has released security updates for the affected packages in version 1.0.1+dfsg1-4+deb11u1 for the stable distribution (bullseye) (Debian Advisory).