{"id":"CVE-2018-20761","details":"GPAC version 0.7.1 and earlier has a Buffer Overflow vulnerability in the gf_sm_load_init function in scene_manager.c in libgpac_static.a.","modified":"2026-02-23T08:12:59.962210Z","published":"2019-02-06T23:29:00.293Z","related":["MGASA-2019-0146"],"references":[{"type":"ADVISORY","url":"https://github.com/gpac/gpac/commit/35ab4475a7df9b2a4bcab235e379c0c3ec543658"},{"type":"ADVISORY","url":"https://github.com/gpac/gpac/issues/1186"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2019/02/msg00040.html"},{"type":"ADVISORY","url":"https://usn.ubuntu.com/3926-1/"},{"type":"FIX","url":"https://github.com/gpac/gpac/commit/35ab4475a7df9b2a4bcab235e379c0c3ec543658"},{"type":"ARTICLE","url":"https://lists.debian.org/debian-lts-announce/2019/02/msg00040.html"},{"type":"EVIDENCE","url":"https://github.com/gpac/gpac/issues/1186"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/gpac/gpac","events":[{"introduced":"0"},{"fixed":"35ab4475a7df9b2a4bcab235e379c0c3ec543658"}]}],"versions":["v0.5.2","v0.6.0","v0.6.1","v0.7.0","v0.7.1"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2018-20761.json","vanir_signatures":[{"source":"https://github.com/gpac/gpac/commit/35ab4475a7df9b2a4bcab235e379c0c3ec543658","id":"CVE-2018-20761-138b9cbe","signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["177806710708948801023466107337935595194","101179168692257285273967622649824482615","142365261581564202298399807691257604892","29961273418044651086605550132794292427","10609050882929854190783234901260810949","13758865279394679676425726873429352093","137098705219827375748825150314849161523","249612812635717977904490394944552865247","300563767472421716329546861368598055552","162069967702304411113772687533291794467","334065887476312938473516292269748808408","153920100334872794026847679421893687691","148338080290635430922058106989875262390","251059782858831595628415134830674452886","188163686190837325114706975240648923495","302914892325916670735888427970652105481","320711065323366901188902124088569198477","160055706343848487710053992116068498215","129972362995167018935924128987383797919","289596222244060192319445051389433850753","97131646810314901201167157187342208826","57332432781208856566032034995164514236","105187912328225746919900045399207183304","258631037694452500310373557875252021317","54820847704567186114802404349166771063","336630550262938593278012641622956435631"]},"deprecated":false,"target":{"file":"applications/mp4client/main.c"},"signature_version":"v1"},{"source":"https://github.com/gpac/gpac/commit/35ab4475a7df9b2a4bcab235e379c0c3ec543658","id":"CVE-2018-20761-14b2b16b","signature_type":"Function","digest":{"function_hash":"266421301009955877927061290868667144890","length":1053},"deprecated":false,"target":{"file":"applications/mp4box/fileimport.c","function":"cat_multiple_files"},"signature_version":"v1"},{"source":"https://github.com/gpac/gpac/commit/35ab4475a7df9b2a4bcab235e379c0c3ec543658","id":"CVE-2018-20761-505a0d40","signature_type":"Function","digest":{"function_hash":"31876490769685354517523917252215192740","length":3932},"deprecated":false,"target":{"file":"modules/ffmpeg_in/ffmpeg_demux.c","function":"FFD_CanHandleURL"},"signature_version":"v1"},{"source":"https://github.com/gpac/gpac/commit/35ab4475a7df9b2a4bcab235e379c0c3ec543658","id":"CVE-2018-20761-54c53b98","signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["237493653535479184836953215138021360478","217388982713414624001209062315649745598","65188003659595125205447103578125040304","109465885220917882838931629268924162384"]},"deprecated":false,"target":{"file":"src/scene_manager/scene_manager.c"},"signature_version":"v1"},{"source":"https://github.com/gpac/gpac/commit/35ab4475a7df9b2a4bcab235e379c0c3ec543658","id":"CVE-2018-20761-63a908da","signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["264523157031263892128146363725756387325","118933627905992146657929152694320074049","257273306596703326577925339315019268129","274920654055756748976150798775296607179","209204931148955835024964255547571251171","56274645375521377663122475273814332602","136614371259472427414654230086662085041","150871314073043715570726590539299614118","291079280856334805031023588734060282809","84500922091286306009044906419371090872","227309841688554781594845013960716014333"]},"deprecated":false,"target":{"file":"modules/ffmpeg_in/ffmpeg_demux.c"},"signature_version":"v1"},{"source":"https://github.com/gpac/gpac/commit/35ab4475a7df9b2a4bcab235e379c0c3ec543658","id":"CVE-2018-20761-86f3cc7d","signature_type":"Function","digest":{"function_hash":"163118974547433479099396815109657039820","length":10418},"deprecated":false,"target":{"file":"applications/mp4client/main.c","function":"GPAC_EventProc"},"signature_version":"v1"},{"source":"https://github.com/gpac/gpac/commit/35ab4475a7df9b2a4bcab235e379c0c3ec543658","id":"CVE-2018-20761-8fab7fc4","signature_type":"Function","digest":{"function_hash":"237442712216280146270324140443867544129","length":29995},"deprecated":false,"target":{"file":"applications/mp4client/main.c","function":"mp4client_main"},"signature_version":"v1"},{"source":"https://github.com/gpac/gpac/commit/35ab4475a7df9b2a4bcab235e379c0c3ec543658","id":"CVE-2018-20761-a5600968","signature_type":"Function","digest":{"function_hash":"165754116954605594476599722340014993865","length":936},"deprecated":false,"target":{"file":"applications/mp4client/main.c","function":"set_cfg_option"},"signature_version":"v1"},{"source":"https://github.com/gpac/gpac/commit/35ab4475a7df9b2a4bcab235e379c0c3ec543658","id":"CVE-2018-20761-c6d45474","signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["30739628822414551627383190559771524873","25724999979887296492779751561194023031","105175159957466592163691017413067280625","148799604309504246911057992718970920910","295951348819635724122242006273612480248","309872636870750701225570848504326574689","236858418898194591029271085083340849412","307538305822837846156040367940415744092","284312735582319307094798885990206965073","321035248002051127603397109875145888386","20579560730579201526093260620830775434","125582650234243198115040091927257429008","58697057854487651962318453038124536209","97251207196374203411827359232807357736","329344419116748040050187867256612520294","151482843949274259482119254579003759418","124648944189169153752897372929024043821","148544142094532301817996246237602613941"]},"deprecated":false,"target":{"file":"applications/mp4box/fileimport.c"},"signature_version":"v1"},{"source":"https://github.com/gpac/gpac/commit/35ab4475a7df9b2a4bcab235e379c0c3ec543658","id":"CVE-2018-20761-e72de6bd","signature_type":"Function","digest":{"function_hash":"332530591878327878357530633887625197210","length":2931},"deprecated":false,"target":{"file":"src/scene_manager/scene_manager.c","function":"gf_sm_load_init"},"signature_version":"v1"}]}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}]}