CVE-2021-21843: 
NixOS vulnerability analysis and mitigation

Multiple exploitable integer overflow vulnerabilities exist within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1. A specially crafted MPEG-4 input can cause an integer overflow due to unchecked arithmetic resulting in a heap-based buffer overflow that causes memory corruption. An attacker can convince a user to open a video to trigger this vulnerability (Talos Report).

The vulnerability occurs in the MPEG-4 decoding functionality when parsing atoms within an MPEG-4 container. The library reads fields from the atom's contents and uses them to calculate buffer sizes without proper bounds checking. When allocating space for reading the rest of an atom, the library may miscalculate the size due to an integer overflow or integer truncation, resulting in an undersized heap allocation. When the library later attempts to read the atom's contents into this heap buffer, a heap-based buffer overflow occurs. The vulnerability has a CVSS v3.0 score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) (Talos Report).

A successful exploit could lead to memory corruption and potentially code execution under the context of the library. The vulnerability affects the integrity of memory handling and could allow an attacker to execute arbitrary code with the privileges of the application using the GPAC library (Talos Report).

The vulnerability has been fixed in version 1.0.1+dfsg1-4+deb11u1 for Debian bullseye. Users should upgrade to the patched version. The oldstable distribution (buster) is not affected by this vulnerability (Debian Security).