CVE-2022-45283: 
NixOS vulnerability analysis and mitigation

GPAC MP4box v2.0.0 was discovered to contain a stack overflow vulnerability in the smilparsetimelist parameter at /scenegraph/svgattributes.c. The vulnerability was identified with CVE-2022-45283 and disclosed in December 2022 (NVD, GitHub Issue).

The vulnerability exists due to a fixed-length buffer allocation in the smilparsetimelist function, where a valuestring buffer of 500 bytes is allocated. The function performs a memcpy operation without proper length validation, allowing for buffer overflow when copying content to this fixed buffer. The CVSS v3.1 base score is 7.8 HIGH with vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (NVD).

Since the content is user-controllable and there is no length limitation, this vulnerability can lead to stack overflow, corrupting stack canaries, and potentially causing Denial of Service (DoS) or Remote Code Execution (RCE) (GitHub Issue).

The recommended mitigation is to implement a length limit check before the memcpy operation, ensuring the copied content does not exceed 500 bytes. The vulnerability has been fixed in updated versions, and users are advised to upgrade their GPAC installations. For Debian systems, the fix is available in version 1.0.1+dfsg1-4+deb11u2 (Debian Advisory).