CVE-2021-21845: 
NixOS vulnerability analysis and mitigation

Multiple exploitable integer overflow vulnerabilities exist within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1. A specially crafted MPEG-4 input in "stsc" decoder can cause an integer overflow due to unchecked arithmetic resulting in a heap-based buffer overflow that causes memory corruption. An attacker can convince a user to open a video to trigger this vulnerability. The vulnerability was discovered and disclosed in August 2021 (Talos Report).

The vulnerability exists in the MPEG-4 decoding functionality where the library processes atoms from the container while noting the atom's "type" (FOURCC). When allocating space for reading the rest of an atom, the library may miscalculate the size due to an integer overflow or integer truncation, resulting in an undersized heap allocation. The vulnerability has a CVSS v3.0 score of 8.8 (HIGH) with vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The issue is classified as CWE-680 (Integer Overflow to Buffer Overflow) (Talos Report).

When exploited, this vulnerability can lead to memory corruption and potential code execution under the context of the library. The heap-based buffer overflow can allow attackers to execute arbitrary code by convincing a user to open a specially crafted video file (Talos Report).

For the Debian stable distribution (bullseye), these problems have been fixed in version 1.0.1+dfsg1-4+deb11u1. Users are recommended to upgrade their gpac packages to the latest version. The oldstable distribution (buster) is not affected by this vulnerability (Debian Advisory).