Bug#1125089: [libmpeg2] NULL pointer dereference in mpeg2_init_fbuf() via crafted MPEG video

[김우석]

Package: libmpeg2-4
Version: 0.5.1-9

Hi Debian Security Team,

I would like to report a security vulnerability in the libmpeg2 package.

[Summary]
A NULL pointer dereference vulnerability exists in libmpeg2 0.5.1
that can be triggered by processing a malformed MPEG video stream.

[Affected Package]

   -

   Package: libmpeg2-4
   -

   Version: 0.5.1-9 (Debian stable)
   -

   Also affects: Ubuntu 22.04 / 24.04

[Vulnerability Details]

   -

   Type: NULL pointer dereference
   -

   Location: mpeg2_init_fbuf() function
   -

   Impact: Denial of Service (crash)
   -

   Attack vector: Processing malformed MPEG-1/2 video file

[Reproduction]
The crash can be triggered using GStreamer's mpeg2dec element:

$ gst-launch-1.0 filesrc location=crash.bin ! mpegvideoparse ! mpeg2dec !
fakesink

The pipeline crashes with SIGSEGV when processing the attached file.

[Proof of Concept]
Attached: libmpeg2_crash_0.bin

[Additional Notes]

   -

   libmpeg2 upstream (libmpeg2.sourceforge.net) has been unmaintained since
   2008
   -

   The vulnerability was found via fuzzing with AFL++
   -

   GStreamer uses libmpeg2 for legacy MPEG-1/2 decoding

As this issue was first identified in GStreamer, we initially reported it
to the GStreamer Security Team. Since the root cause lies within libmpeg2,
we are submitting this report to Debian as well.

Please let me know if you need any additional information.

Best regards,
Wooseok Kim
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-multimedia-maintainers/attachments/20260109/8ad3c9d2/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: libmpeg2_crash_0.bin
Type: application/macbinary
Size: 4810 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-multimedia-maintainers/attachments/20260109/8ad3c9d2/attachment.bin>