The gf_hinter_track_new function in GPAC 1.0.1 allows malicious users to read memory via a crafted file in the MP4Box command.