{"id":"CVE-2022-47090","details":"GPAC MP4box 2.1-DEV-rev574-g9d5bb184b contains a buffer overflow in gf_vvc_read_pps_bs_internal function of media_tools/av_parsers.c, check needed for num_exp_tile_columns","modified":"2025-11-20T12:12:03.935054Z","published":"2025-01-24T14:15:29.983Z","references":[{"type":"REPORT","url":"https://github.com/gpac/gpac/issues/2341"},{"type":"FIX","url":"https://github.com/gpac/gpac/commit/48760768611f6766bf9e7378bb7cc66cebd6e49d"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/gpac/gpac","events":[{"introduced":"0"},{"fixed":"48760768611f6766bf9e7378bb7cc66cebd6e49d"}]}],"versions":["v0.5.2","v0.6.0","v0.6.1","v0.7.0","v0.7.1","v0.8.0","v0.9.0","v0.9.0-preview","v1.0.0","v1.0.1","v2.0.0"],"database_specific":{"vanir_signatures":[{"digest":{"threshold":0.9,"line_hashes":["205209458812386853287423321730706039629","283842925901255651038014883729249748502","119750241985182591880100035652884518750","249173118097177807258314029870084205322","145169747838016420967307705714809152012","17678980392922620157855712049400787652","298981180365317512869892842504849017620","76656828522272514685842700247074708712","322674210456313726550982336582109607433","328885615478932769306837559688088515473","188547454502341615709831812951291639810","279095389721625900102977766734825829708","228746153867877852956155136832942321446","329769442877559556611307647141321953070","243954140227521645296268521307161715640","57974578731255535348878017228351961357","107812210113521606122792993561365764836","224837128817339056742644030688043759223","28415693334215349416190352426534119281","296333176005024444959529186010178449570","74876339551563488313306685286738398802","251510676883842765728152705936873672899","281229880928935923103119675007558539856","153744100990202565898655088326250806832","129336266987800426731230548423736001681","83022577908808554805076911886680626450","75060847933832581785216824895215528632","164983488199366312494739074465961779520","20039334582733489845696644564879128577","221155674425475002333071391877791012516","125233794203003531721734494994708824431","111088692452168871356026409075927580884","28204333431810818060280925250875245743","273896969273243665505630651444602891170","13711166146158558160664229371431732128"]},"signature_version":"v1","signature_type":"Line","deprecated":false,"id":"CVE-2022-47090-124dbdf0","source":"https://github.com/gpac/gpac/commit/48760768611f6766bf9e7378bb7cc66cebd6e49d","target":{"file":"src/media_tools/av_parsers.c"}},{"digest":{"threshold":0.9,"line_hashes":["96071949862397183840061149148711297212","318580497121197462373685047158736131940","104293381729214981031340158303783530447","42161297080934316694561740653750865605","32423565209999813888984125196922238314","277252751256773839106274423853941105145","177649780436661873186378779791972495782","87457855893211095898976782697811200436","271393681686466991765481854149441463432","291869085989057971998782664238448063623","283960316373127838310434272826434264951","110168409891027145125484521302180438624","332804156662481109427587395674058886673","196057315097150864096171074305999168986","43997827086932850920757970056345801535","87165258556356256108888645208400235916","113280187794616323198828273921942922162","217879654717393563195353541726202879219","115649102525993532045248576010565840759","256584152456612790210969595626843445836","9137569471773682973684105697194852775","92295091909584830493727438899044783717","83086903934280031691821906947382080038","49846852191373665480083085087342891958","338906667619663477482381201342791604547","128457975258460512713871355108825639291","25088696614288469407895734397655756731","59434041739301485784372445577503675536","209714490067857263522236258976403941283","165878685771085962425725540344852052590","128414171240251794177296279088061733748","36316392981092179572660706497667942995","88043512317473275336884332579642680877","196057315097150864096171074305999168986","43997827086932850920757970056345801535","87165258556356256108888645208400235916","169432363214486187268745832769874227344","190456298135387678038642757580156882457","115649102525993532045248576010565840759","256584152456612790210969595626843445836","9137569471773682973684105697194852775","107532391141670904783165217610605953264","313637298857287612438911363738637421945","60402971881160126086240620705137226767","13552015904960181699515604159429313485","269039415874274483728319823337301009930","226720462349373536152640104696944103189","70724719849622876252369936278930316630","204636774618066027572654205596996281564","312620174353653003242865189682750078771","1999507374277784094792014986210075752","77126822460060160868633215974923676011","206845374057353456109194533249815252564","308444527540163286080981913092746907225","123940570758430844552109263375568977558","288488291313138768601066425219521582830","102462049936954247047826355526185762854","264403209169700516106663167963987013596","67658967645960681751821641472277070500","101513277398978384344834398236057621957","282535290391298460348636694394595300063","81972568559392482805497231245834499617","30181345067630880270526562072574952781","314516624984129739714331346660467845624","149312512928866397311697141482796945527","162426562151165784007944744072359641320","141392573072803819448121911246468523786"]},"signature_version":"v1","signature_type":"Line","deprecated":false,"id":"CVE-2022-47090-1bd45b9a","source":"https://github.com/gpac/gpac/commit/48760768611f6766bf9e7378bb7cc66cebd6e49d","target":{"file":"src/filters/reframe_nalu.c"}},{"digest":{"length":6295,"function_hash":"196346292254685270069565389086108819905"},"signature_version":"v1","signature_type":"Function","deprecated":false,"id":"CVE-2022-47090-1ef13c96","source":"https://github.com/gpac/gpac/commit/48760768611f6766bf9e7378bb7cc66cebd6e49d","target":{"function":"naludmx_check_pid","file":"src/filters/reframe_nalu.c"}},{"digest":{"length":5303,"function_hash":"60419063003199191726838070568378404507"},"signature_version":"v1","signature_type":"Function","deprecated":false,"id":"CVE-2022-47090-598b0f62","source":"https://github.com/gpac/gpac/commit/48760768611f6766bf9e7378bb7cc66cebd6e49d","target":{"function":"naludmx_create_hevc_decoder_config","file":"src/filters/reframe_nalu.c"}},{"digest":{"length":5362,"function_hash":"282602502051226317528355739273576782141"},"signature_version":"v1","signature_type":"Function","deprecated":false,"id":"CVE-2022-47090-5eca42bf","source":"https://github.com/gpac/gpac/commit/48760768611f6766bf9e7378bb7cc66cebd6e49d","target":{"function":"naludmx_create_vvc_decoder_config","file":"src/filters/reframe_nalu.c"}},{"digest":{"length":4889,"function_hash":"54051840382090665012279100390031030963"},"signature_version":"v1","signature_type":"Function","deprecated":false,"id":"CVE-2022-47090-70a2de94","source":"https://github.com/gpac/gpac/commit/48760768611f6766bf9e7378bb7cc66cebd6e49d","target":{"function":"naludmx_create_avc_decoder_config","file":"src/filters/reframe_nalu.c"}},{"digest":{"length":9258,"function_hash":"187892300278696992071000075496628048873"},"signature_version":"v1","signature_type":"Function","deprecated":false,"id":"CVE-2022-47090-e5f2c26f","source":"https://github.com/gpac/gpac/commit/48760768611f6766bf9e7378bb7cc66cebd6e49d","target":{"function":"gf_vvc_read_pps_bs_internal","file":"src/media_tools/av_parsers.c"}},{"digest":{"threshold":0.9,"line_hashes":["9598856946840000043357287569005012389","141463780591152997642512241595332271043","268336417426805060081828907197226815546","296599562676330051517447606396841409969","107367841899169065754041093112658862510","20107194874740464870186419265844404251","182971361688358743674011316645839448862","158909592336990539578065677634650914221"]},"signature_version":"v1","signature_type":"Line","deprecated":false,"id":"CVE-2022-47090-f025825e","source":"https://github.com/gpac/gpac/commit/48760768611f6766bf9e7378bb7cc66cebd6e49d","target":{"file":"include/gpac/internal/media_dev.h"}}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-47090.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}]}