NULL Pointer Dereference in axiomatic-systems/bento4

Valid

Reported on

May 12th 2021


✍️ Description

NULL pointer dereference of Ap4Descriptor.h in function GetTag

🕵️‍♂️ Proof of Concept

Verification steps: 1.Get the source code of Bento4 2.Compile the Bento4

$ cd Bento4
$ mkdir check_build && cd check_build
$ cmake ../ -DCMAKE_C_COMPILER=clang  -DCMAKE_CXX_COMPILER=clang++ -DCMAKE_C_FLAGS="-fsanitize=address" -DCMAKE_CXX_FLAGS="-fsanitize=address"
$ make -j 32

3.run mp42aac

$ ./mp42aac poc.mp4   /dev/null

💥 Impact

This vulnerability is capable of DDos

Dimitry Ishenko confirmed that a fix has been merged on 481c27 4 months ago
Dimitry Ishenko has been awarded the fix bounty