Heap-based Buffer Overflow in axiomatic-systems/bento4

Valid

Reported on

May 13th 2021

✍️ Description

heap-buffer-overflow

🕵️‍♂️ Proof of Concept

Verification steps： 1.Get the source code of Bento4 2.Compile the Bento4

$ cd Bento4
$ mkdir check_build && cd check_build
$ cmake ../ -DCMAKE_C_COMPILER=clang  -DCMAKE_CXX_COMPILER=clang++ -DCMAKE_C_FLAGS="-fsanitize=address" -DCMAKE_CXX_FLAGS="-fsanitize=address"
$ make -j 32

3.run poc

$ ./avcinfo poc  
$ ./hevcinfo poc

💥 Impact

This vulnerability is capable of Code execution

References

Dimitry Ishenko validated this vulnerability a year ago

RouX has been awarded the disclosure bounty

The fix bounty is now up for grabs

Dimitry Ishenko

commented a year ago

Maintainer

FWIW, this should be two separate issues.

Dimitry Ishenko marked this as fixed in HEAD with commit 186531 a year ago

Dimitry Ishenko has been awarded the fix bounty

This vulnerability will not receive a CVE

Dimitry Ishenko

commented a year ago

Maintainer

There is also commit d83f07c9b8af0e7137521105c281b7c7558f56cc which fixes issue 610

to join this conversation

Dimitry Ishenko validated this vulnerability a year ago

RouX has been awarded the disclosure bounty

The fix bounty is now up for grabs

Dimitry Ishenko

commented a year ago

Maintainer

FWIW, this should be two separate issues.

Dimitry Ishenko marked this as fixed in HEAD with commit 186531 a year ago

Dimitry Ishenko has been awarded the fix bounty

This vulnerability will not receive a CVE

Dimitry Ishenko

commented a year ago

Maintainer

There is also commit d83f07c9b8af0e7137521105c281b7c7558f56cc which fixes issue 610

to join this conversation