{"id":"CVE-2018-20762","details":"GPAC version 0.7.1 and earlier has a buffer overflow vulnerability in the cat_multiple_files function in applications/mp4box/fileimport.c when MP4Box is used for a local directory containing crafted filenames.","modified":"2026-04-16T04:44:42.789790497Z","published":"2019-02-06T23:29:00.370Z","references":[{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2019/02/msg00040.html"},{"type":"ADVISORY","url":"https://usn.ubuntu.com/3926-1/"},{"type":"FIX","url":"https://github.com/gpac/gpac/commit/35ab4475a7df9b2a4bcab235e379c0c3ec543658"},{"type":"EVIDENCE","url":"https://github.com/gpac/gpac/issues/1187"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/gpac/gpac","events":[{"introduced":"0"},{"last_affected":"440d475f133038824dab08292b2e592ecd0e10b4"},{"fixed":"35ab4475a7df9b2a4bcab235e379c0c3ec543658"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"0.7.1"}]}}],"versions":["v0.5.2","v0.6.0","v0.7.0","v0.7.1"],"database_specific":{"vanir_signatures_modified":"2026-04-11T14:54:38Z","vanir_signatures":[{"signature_type":"Line","source":"https://github.com/gpac/gpac/commit/35ab4475a7df9b2a4bcab235e379c0c3ec543658","digest":{"threshold":0.9,"line_hashes":["177806710708948801023466107337935595194","101179168692257285273967622649824482615","142365261581564202298399807691257604892","29961273418044651086605550132794292427","10609050882929854190783234901260810949","13758865279394679676425726873429352093","137098705219827375748825150314849161523","249612812635717977904490394944552865247","300563767472421716329546861368598055552","162069967702304411113772687533291794467","334065887476312938473516292269748808408","153920100334872794026847679421893687691","148338080290635430922058106989875262390","251059782858831595628415134830674452886","188163686190837325114706975240648923495","302914892325916670735888427970652105481","320711065323366901188902124088569198477","160055706343848487710053992116068498215","129972362995167018935924128987383797919","289596222244060192319445051389433850753","97131646810314901201167157187342208826","57332432781208856566032034995164514236","105187912328225746919900045399207183304","258631037694452500310373557875252021317","54820847704567186114802404349166771063","336630550262938593278012641622956435631"]},"signature_version":"v1","id":"CVE-2018-20762-138b9cbe","target":{"file":"applications/mp4client/main.c"},"deprecated":false},{"signature_type":"Function","id":"CVE-2018-20762-14b2b16b","digest":{"function_hash":"266421301009955877927061290868667144890","length":1053},"signature_version":"v1","target":{"function":"cat_multiple_files","file":"applications/mp4box/fileimport.c"},"source":"https://github.com/gpac/gpac/commit/35ab4475a7df9b2a4bcab235e379c0c3ec543658","deprecated":false},{"target":{"function":"FFD_CanHandleURL","file":"modules/ffmpeg_in/ffmpeg_demux.c"},"source":"https://github.com/gpac/gpac/commit/35ab4475a7df9b2a4bcab235e379c0c3ec543658","digest":{"function_hash":"31876490769685354517523917252215192740","length":3932},"signature_version":"v1","signature_type":"Function","id":"CVE-2018-20762-505a0d40","deprecated":false},{"target":{"file":"src/scene_manager/scene_manager.c"},"id":"CVE-2018-20762-54c53b98","digest":{"threshold":0.9,"line_hashes":["237493653535479184836953215138021360478","217388982713414624001209062315649745598","65188003659595125205447103578125040304","109465885220917882838931629268924162384"]},"signature_version":"v1","source":"https://github.com/gpac/gpac/commit/35ab4475a7df9b2a4bcab235e379c0c3ec543658","signature_type":"Line","deprecated":false},{"signature_type":"Line","id":"CVE-2018-20762-63a908da","digest":{"threshold":0.9,"line_hashes":["264523157031263892128146363725756387325","118933627905992146657929152694320074049","257273306596703326577925339315019268129","274920654055756748976150798775296607179","209204931148955835024964255547571251171","56274645375521377663122475273814332602","136614371259472427414654230086662085041","150871314073043715570726590539299614118","291079280856334805031023588734060282809","84500922091286306009044906419371090872","227309841688554781594845013960716014333"]},"signature_version":"v1","target":{"file":"modules/ffmpeg_in/ffmpeg_demux.c"},"source":"https://github.com/gpac/gpac/commit/35ab4475a7df9b2a4bcab235e379c0c3ec543658","deprecated":false},{"target":{"function":"GPAC_EventProc","file":"applications/mp4client/main.c"},"id":"CVE-2018-20762-86f3cc7d","digest":{"function_hash":"163118974547433479099396815109657039820","length":10418},"source":"https://github.com/gpac/gpac/commit/35ab4475a7df9b2a4bcab235e379c0c3ec543658","signature_version":"v1","signature_type":"Function","deprecated":false},{"signature_type":"Function","source":"https://github.com/gpac/gpac/commit/35ab4475a7df9b2a4bcab235e379c0c3ec543658","id":"CVE-2018-20762-8fab7fc4","signature_version":"v1","digest":{"function_hash":"237442712216280146270324140443867544129","length":29995},"target":{"function":"mp4client_main","file":"applications/mp4client/main.c"},"deprecated":false},{"target":{"function":"set_cfg_option","file":"applications/mp4client/main.c"},"source":"https://github.com/gpac/gpac/commit/35ab4475a7df9b2a4bcab235e379c0c3ec543658","digest":{"function_hash":"165754116954605594476599722340014993865","length":936},"signature_version":"v1","signature_type":"Function","id":"CVE-2018-20762-a5600968","deprecated":false},{"target":{"file":"applications/mp4box/fileimport.c"},"id":"CVE-2018-20762-c6d45474","digest":{"threshold":0.9,"line_hashes":["30739628822414551627383190559771524873","25724999979887296492779751561194023031","105175159957466592163691017413067280625","148799604309504246911057992718970920910","295951348819635724122242006273612480248","309872636870750701225570848504326574689","236858418898194591029271085083340849412","307538305822837846156040367940415744092","284312735582319307094798885990206965073","321035248002051127603397109875145888386","20579560730579201526093260620830775434","125582650234243198115040091927257429008","58697057854487651962318453038124536209","97251207196374203411827359232807357736","329344419116748040050187867256612520294","151482843949274259482119254579003759418","124648944189169153752897372929024043821","148544142094532301817996246237602613941"]},"signature_version":"v1","source":"https://github.com/gpac/gpac/commit/35ab4475a7df9b2a4bcab235e379c0c3ec543658","signature_type":"Line","deprecated":false},{"signature_type":"Function","id":"CVE-2018-20762-e72de6bd","digest":{"function_hash":"332530591878327878357530633887625197210","length":2931},"signature_version":"v1","target":{"function":"gf_sm_load_init","file":"src/scene_manager/scene_manager.c"},"source":"https://github.com/gpac/gpac/commit/35ab4475a7df9b2a4bcab235e379c0c3ec543658","deprecated":false}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-20762.json","unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"8.0"}]},{"events":[{"introduced":"0"},{"last_affected":"16.04"}]},{"events":[{"introduced":"0"},{"last_affected":"18.04"}]},{"events":[{"introduced":"0"},{"last_affected":"18.10"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}]}