CVE-2018-20762

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2018-20762
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2018-20762.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2018-20762
Downstream
Related
Published
2019-02-06T23:29:00Z
Modified
2025-09-19T09:44:39.392865Z
Severity
  • 7.8 (High) CVSS_V3 - CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

GPAC version 0.7.1 and earlier has a buffer overflow vulnerability in the catmultiplefiles function in applications/mp4box/fileimport.c when MP4Box is used for a local directory containing crafted filenames.

References

Affected packages

Git / github.com/gpac/gpac

Affected ranges

Type
GIT
Repo
https://github.com/gpac/gpac
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
35ab4475a7df9b2a4bcab235e379c0c3ec543658

Affected versions

v0.*

v0.5.2
v0.6.0
v0.6.1
v0.7.0
v0.7.1

Database specific 

{
    "vanir_signatures": [
        {
            "id": "CVE-2018-20762-138b9cbe",
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "177806710708948801023466107337935595194",
                    "101179168692257285273967622649824482615",
                    "142365261581564202298399807691257604892",
                    "29961273418044651086605550132794292427",
                    "10609050882929854190783234901260810949",
                    "13758865279394679676425726873429352093",
                    "137098705219827375748825150314849161523",
                    "249612812635717977904490394944552865247",
                    "300563767472421716329546861368598055552",
                    "162069967702304411113772687533291794467",
                    "334065887476312938473516292269748808408",
                    "153920100334872794026847679421893687691",
                    "148338080290635430922058106989875262390",
                    "251059782858831595628415134830674452886",
                    "188163686190837325114706975240648923495",
                    "302914892325916670735888427970652105481",
                    "320711065323366901188902124088569198477",
                    "160055706343848487710053992116068498215",
                    "129972362995167018935924128987383797919",
                    "289596222244060192319445051389433850753",
                    "97131646810314901201167157187342208826",
                    "57332432781208856566032034995164514236",
                    "105187912328225746919900045399207183304",
                    "258631037694452500310373557875252021317",
                    "54820847704567186114802404349166771063",
                    "336630550262938593278012641622956435631"
                ]
            },
            "signature_version": "v1",
            "deprecated": false,
            "target": {
                "file": "applications/mp4client/main.c"
            },
            "signature_type": "Line",
            "source": "https://github.com/gpac/gpac/commit/35ab4475a7df9b2a4bcab235e379c0c3ec543658"
        },
        {
            "id": "CVE-2018-20762-14b2b16b",
            "digest": {
                "length": 1053.0,
                "function_hash": "266421301009955877927061290868667144890"
            },
            "signature_version": "v1",
            "deprecated": false,
            "target": {
                "file": "applications/mp4box/fileimport.c",
                "function": "cat_multiple_files"
            },
            "signature_type": "Function",
            "source": "https://github.com/gpac/gpac/commit/35ab4475a7df9b2a4bcab235e379c0c3ec543658"
        },
        {
            "id": "CVE-2018-20762-505a0d40",
            "digest": {
                "length": 3932.0,
                "function_hash": "31876490769685354517523917252215192740"
            },
            "signature_version": "v1",
            "deprecated": false,
            "target": {
                "file": "modules/ffmpeg_in/ffmpeg_demux.c",
                "function": "FFD_CanHandleURL"
            },
            "signature_type": "Function",
            "source": "https://github.com/gpac/gpac/commit/35ab4475a7df9b2a4bcab235e379c0c3ec543658"
        },
        {
            "id": "CVE-2018-20762-54c53b98",
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "237493653535479184836953215138021360478",
                    "217388982713414624001209062315649745598",
                    "65188003659595125205447103578125040304",
                    "109465885220917882838931629268924162384"
                ]
            },
            "signature_version": "v1",
            "deprecated": false,
            "target": {
                "file": "src/scene_manager/scene_manager.c"
            },
            "signature_type": "Line",
            "source": "https://github.com/gpac/gpac/commit/35ab4475a7df9b2a4bcab235e379c0c3ec543658"
        },
        {
            "id": "CVE-2018-20762-63a908da",
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "264523157031263892128146363725756387325",
                    "118933627905992146657929152694320074049",
                    "257273306596703326577925339315019268129",
                    "274920654055756748976150798775296607179",
                    "209204931148955835024964255547571251171",
                    "56274645375521377663122475273814332602",
                    "136614371259472427414654230086662085041",
                    "150871314073043715570726590539299614118",
                    "291079280856334805031023588734060282809",
                    "84500922091286306009044906419371090872",
                    "227309841688554781594845013960716014333"
                ]
            },
            "signature_version": "v1",
            "deprecated": false,
            "target": {
                "file": "modules/ffmpeg_in/ffmpeg_demux.c"
            },
            "signature_type": "Line",
            "source": "https://github.com/gpac/gpac/commit/35ab4475a7df9b2a4bcab235e379c0c3ec543658"
        },
        {
            "id": "CVE-2018-20762-86f3cc7d",
            "digest": {
                "length": 10418.0,
                "function_hash": "163118974547433479099396815109657039820"
            },
            "signature_version": "v1",
            "deprecated": false,
            "target": {
                "file": "applications/mp4client/main.c",
                "function": "GPAC_EventProc"
            },
            "signature_type": "Function",
            "source": "https://github.com/gpac/gpac/commit/35ab4475a7df9b2a4bcab235e379c0c3ec543658"
        },
        {
            "id": "CVE-2018-20762-8fab7fc4",
            "digest": {
                "length": 29995.0,
                "function_hash": "237442712216280146270324140443867544129"
            },
            "signature_version": "v1",
            "deprecated": false,
            "target": {
                "file": "applications/mp4client/main.c",
                "function": "mp4client_main"
            },
            "signature_type": "Function",
            "source": "https://github.com/gpac/gpac/commit/35ab4475a7df9b2a4bcab235e379c0c3ec543658"
        },
        {
            "id": "CVE-2018-20762-a5600968",
            "digest": {
                "length": 936.0,
                "function_hash": "165754116954605594476599722340014993865"
            },
            "signature_version": "v1",
            "deprecated": false,
            "target": {
                "file": "applications/mp4client/main.c",
                "function": "set_cfg_option"
            },
            "signature_type": "Function",
            "source": "https://github.com/gpac/gpac/commit/35ab4475a7df9b2a4bcab235e379c0c3ec543658"
        },
        {
            "id": "CVE-2018-20762-c6d45474",
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "30739628822414551627383190559771524873",
                    "25724999979887296492779751561194023031",
                    "105175159957466592163691017413067280625",
                    "148799604309504246911057992718970920910",
                    "295951348819635724122242006273612480248",
                    "309872636870750701225570848504326574689",
                    "236858418898194591029271085083340849412",
                    "307538305822837846156040367940415744092",
                    "284312735582319307094798885990206965073",
                    "321035248002051127603397109875145888386",
                    "20579560730579201526093260620830775434",
                    "125582650234243198115040091927257429008",
                    "58697057854487651962318453038124536209",
                    "97251207196374203411827359232807357736",
                    "329344419116748040050187867256612520294",
                    "151482843949274259482119254579003759418",
                    "124648944189169153752897372929024043821",
                    "148544142094532301817996246237602613941"
                ]
            },
            "signature_version": "v1",
            "deprecated": false,
            "target": {
                "file": "applications/mp4box/fileimport.c"
            },
            "signature_type": "Line",
            "source": "https://github.com/gpac/gpac/commit/35ab4475a7df9b2a4bcab235e379c0c3ec543658"
        },
        {
            "id": "CVE-2018-20762-e72de6bd",
            "digest": {
                "length": 2931.0,
                "function_hash": "332530591878327878357530633887625197210"
            },
            "signature_version": "v1",
            "deprecated": false,
            "target": {
                "file": "src/scene_manager/scene_manager.c",
                "function": "gf_sm_load_init"
            },
            "signature_type": "Function",
            "source": "https://github.com/gpac/gpac/commit/35ab4475a7df9b2a4bcab235e379c0c3ec543658"
        }
    ]
}