# Vulnerability Summary ## Overview - **Vulnerability ID**: #800985 - **Vulnerability Title**: gpac Lastest Memory Corruption - **Description**: An integer truncation vulnerability exists in the `elng_box_read()` function within `src/isomedia/box_code_base.c`. When parsing an `elng` (Extended Language Box) from a malicious MP4 file, the 64-bit `pti->size` (of type `u64`) from the box header is silently truncated to `u32` for memory allocation, while the original 64-bit value is used as an array index. This results in a heap buffer over-read of approximately 4 GB. ## Scope - **Affected Location**: `src/isomedia/box_code_base.c:3684-3692` - **Vulnerable Code**: ```c GF_Err elng_box_read(GF_Box *s, GF_BitStream *bs) { GF_ExtendedLanguageBox *ptr = (GF_ExtendedLanguageBox*)s; if (ptr->size) { ptr->extended_language = (char*)gf_malloc((u32)ptr->size); // [3684] u64 -> u32 truncation if (ptr->extended_language == NULL) return GF_OUT_OF_MEM; gf_bs_read_data(ptr->extended_language, (u32)ptr->size); // [3686] truncated read size if (ptr->extended_language[ptr->size-1]) { // [3688] u64 index -> OOB READ char *str = (char*)gf_malloc((u32)ptr->size + 1); // [3689] truncated again if (str) return GF_OUT_OF_MEM; memcpy(str, ptr->extended_language, (u32)ptr->size); str[ptr->size] = 0; // [3692] u64 index -> OOB WRITE gf_free(ptr->extended_language); ptr->extended_language = str; } } return GF_OK; } ``` ## Remediation - **Recommendation**: Ensure appropriate type checking and conversion are performed when handling `ptr->size` to prevent memory overflow issues caused by integer truncation.