{"id":"CVE-2018-13006","details":"An issue was discovered in MP4Box in GPAC 0.7.1. There is a heap-based buffer over-read in the isomedia/box_dump.c function hdlr_dump.","modified":"2026-04-16T04:41:27.886727487Z","published":"2018-06-29T14:29:00.433Z","references":[{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2018/07/msg00024.html"},{"type":"ADVISORY","url":"https://usn.ubuntu.com/3926-1/"},{"type":"FIX","url":"https://github.com/gpac/gpac/commit/bceb03fd2be95097a7b409ea59914f332fb6bc86"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/gpac/gpac","events":[{"introduced":"0"},{"last_affected":"440d475f133038824dab08292b2e592ecd0e10b4"},{"fixed":"bceb03fd2be95097a7b409ea59914f332fb6bc86"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"0.7.1"}]}}],"versions":["v0.5.2","v0.6.0","v0.7.0","v0.7.1"],"database_specific":{"vanir_signatures":[{"target":{"file":"src/isomedia/box_dump.c","function":"hdlr_dump"},"signature_type":"Function","id":"CVE-2018-13006-48037c0a","digest":{"length":700,"function_hash":"43054822562971889790112649065050738269"},"signature_version":"v1","deprecated":false,"source":"https://github.com/gpac/gpac/commit/bceb03fd2be95097a7b409ea59914f332fb6bc86"},{"target":{"file":"src/isomedia/box_dump.c"},"signature_type":"Line","id":"CVE-2018-13006-6788df8b","digest":{"threshold":0.9,"line_hashes":["240129264460215101760777230888128164565","92702156625880302266939257319649640893","106025944208538254204216118738768950364","291361657713469353512677670250634893467","114828400390421047261539912847425380491","180158920246265982655196955164224034646","46529492494311210502089748160008866082","328792758787200467428256411222292138309","225418848381896315121417901204764322795","316273335466316768894293464072395772112","272981713739917107403282266976021755545","263228647726209966753406310595928825832","162978353272406893293034852260673864929","212408701237226215133420827343398066547","147355063569052367289533551592335104419","78353194541589929820848852692231624477","88898945021634436099969858195214715329","290255864161061932017116687271735605364","196715427663184130465026503108250380005","323943812714742087718554492099001672739","241382284308687866851092548279345156715","20348201306363799519440654524283513057","116683227579297135907438582119699371976","332049996018732859893380018854157529767","181927952357989742120082240421832220312","197206810468105811996021239872540502519"]},"deprecated":false,"signature_version":"v1","source":"https://github.com/gpac/gpac/commit/bceb03fd2be95097a7b409ea59914f332fb6bc86"},{"target":{"file":"src/isomedia/box_code_base.c"},"signature_type":"Line","id":"CVE-2018-13006-754b92bd","digest":{"threshold":0.9,"line_hashes":["225930566936052243641962346314426053849","72973447274602359087766500130082130622","114637650171971459425082135552424725701","226713972853355409738971654588282762732"]},"deprecated":false,"signature_version":"v1","source":"https://github.com/gpac/gpac/commit/bceb03fd2be95097a7b409ea59914f332fb6bc86"},{"signature_type":"Line","id":"CVE-2018-13006-ab7a5a36","target":{"file":"include/gpac/internal/isomedia_dev.h"},"digest":{"threshold":0.9,"line_hashes":["44569583039775634638106699721267891144","44605539196149009950683430579838645942","203837620228269494667698691868752906388","333379221623619907573134082483232062106"]},"signature_version":"v1","deprecated":false,"source":"https://github.com/gpac/gpac/commit/bceb03fd2be95097a7b409ea59914f332fb6bc86"},{"signature_type":"Function","id":"CVE-2018-13006-ef8f3454","target":{"file":"src/isomedia/box_code_base.c","function":"urn_Read"},"digest":{"length":1039,"function_hash":"188650703219858837821397659744260795143"},"deprecated":false,"signature_version":"v1","source":"https://github.com/gpac/gpac/commit/bceb03fd2be95097a7b409ea59914f332fb6bc86"}],"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"8.0"}]},{"events":[{"introduced":"0"},{"last_affected":"16.04"}]},{"events":[{"introduced":"0"},{"last_affected":"18.04"}]},{"events":[{"introduced":"0"},{"last_affected":"18.10"}]}],"vanir_signatures_modified":"2026-04-11T06:58:46Z","source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-13006.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}