CVE-2023-46931: 
NixOS vulnerability analysis and mitigation

GPAC 2.3-DEV-rev605-gfc9e29089-master contains a heap-buffer-overflow vulnerability in the ffdmxparsesidedata function located at /afltest/gpac/src/filters/ffdmx.c:202:14 in gpac/MP4Box. The vulnerability was discovered in October 2023 and affects the GPAC multimedia framework (NIST NVD, Debian Tracker).

The vulnerability is a heap-based buffer overflow that occurs during side data parsing in the GPAC multimedia framework. The issue manifests as a READ operation of size 4 at an invalid memory address, specifically occurring in the ffdmxparsesidedata function which is called through the ffdmxinitcommon and ffdmxinitialize function chain. The vulnerability has been assigned a CVSS v3.1 Base Score of 5.5 (Medium) with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H (NIST NVD).

When exploited, this vulnerability can cause the application to crash due to invalid memory access. The heap buffer overflow can potentially lead to memory corruption and denial of service conditions. The CVSS score indicates that while the vulnerability requires local access and user interaction, it can result in high availability impact (NIST NVD).

A patch for this vulnerability has been provided through a commit in the GPAC repository. Users are advised to update to a version that includes the fix (GPAC Patch).