CVE-2021-21853: 
NixOS vulnerability analysis and mitigation

Multiple exploitable integer overflow vulnerabilities exist within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1. A specially crafted MPEG-4 input can cause an integer overflow due to unchecked addition arithmetic resulting in a heap-based buffer overflow that causes memory corruption. The vulnerability was discovered and reported by Cisco Talos team (Talos Blog, Talos Report).

The vulnerability exists in the MPEG-4 decoding functionality where unchecked addition arithmetic operations can lead to integer overflows. When processing certain MPEG-4 atoms like 'name', 'rtp', and 'sdp', the library performs unsafe size calculations by truncating 64-bit sizes to 32-bit integers without proper validation. This truncation, combined with subsequent arithmetic operations, can result in integer overflows leading to undersized heap allocations and buffer overflows. The vulnerability has a CVSSv3 score of 8.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) (Talos Report).

The vulnerability can lead to memory corruption through heap-based buffer overflows. An attacker who successfully exploits this vulnerability could potentially achieve code execution under the context of the library. The impact is significant as it affects the core MPEG-4 processing functionality of the library (Talos Report).

Users are encouraged to update to GPAC Project Advanced Content commit a8a8d412dabcb129e695c3e7d861fcc81f608304 or later versions. For Debian users, the fix has been released in version 1.0.1+dfsg1-4+deb11u1 for the stable distribution (bullseye) (Debian Advisory).