CVE-2021-21852: 
NixOS vulnerability analysis and mitigation

Multiple exploitable integer overflow vulnerabilities exist within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1. A specially crafted MPEG-4 input at "stss" decoder can cause an integer overflow due to unchecked arithmetic resulting in a heap-based buffer overflow that causes memory corruption. An attacker can convince a user to open a video to trigger this vulnerability (Talos Report).

The vulnerability exists in the MPEG-4 decoding functionality where the library reads fields from atom contents to calculate boundaries of fields within the rest of the atom. The fields are explicitly trusted and used to calculate heap-buffer sizes. When allocating space for reading the rest of an atom, the library may miscalculate the size due to an integer overflow or integer truncation, resulting in an undersized heap allocation. When the library attempts to read the atom's contents into this heap buffer, a heap-based buffer overflow occurs. The vulnerability has a CVSSv3 Score of 8.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) and is classified as CWE-680 (Integer Overflow to Buffer Overflow) (Talos Report).

The vulnerability can result in code execution under the context of the library. When exploited, it allows attackers to potentially execute arbitrary code through memory corruption caused by the heap-based buffer overflow (Talos Report).

The vulnerability has been fixed in version 1.0.1+dfsg1-4+deb11u2 for Debian bullseye. Users are recommended to upgrade their gpac packages to the latest version (Debian Advisory).