CVE-2021-21862: 
NixOS vulnerability analysis and mitigation

Multiple exploitable integer truncation vulnerabilities exist within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1. A specially crafted MPEG-4 input can cause an improper memory allocation resulting in a heap-based buffer overflow that causes memory corruption. The vulnerability was discovered and disclosed in August 2021 (Talos Advisory).

The vulnerability occurs during the parsing of MPEG-4 container atoms. When processing atoms, the library reads fields from the atom's contents and uses them to calculate boundaries of fields within the rest of the atom. In some parsers, these fields are explicitly trusted and used to calculate the size of a heap-buffer. Due to integer overflow or truncation, this can result in an undersized heap allocation being made. When the library later attempts to read the atom's contents into this heap buffer, a heap-based buffer overflow occurs. The vulnerability has been assigned a CVSS v3.1 Base Score of 8.8 HIGH (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) (NVD).

A successful exploit could result in code execution under the context of the library. The vulnerability affects confidentiality, integrity, and availability of the system, with potential for complete compromise if successfully exploited (Talos Advisory).

The vulnerability has been fixed in GPAC Project Advanced Content commit a8a8d412dabcb129e695c3e7d861fcc81f608304. Users are encouraged to update to the latest version. Snort rules 57607-57618, 57623-57630, and 57635-57672 can detect exploitation attempts (Talos Advisory).