Heap-based Buffer Overflow in axiomatic-systems/bento4


Reported on

May 13th 2021

✍️ Description


🕵️‍♂️ Proof of Concept

Verification steps: 1.Get the source code of Bento4 2.Compile the Bento4

$ cd Bento4
$ mkdir check_build && cd check_build
$ cmake ../ -DCMAKE_C_COMPILER=clang  -DCMAKE_CXX_COMPILER=clang++ -DCMAKE_C_FLAGS="-fsanitize=address" -DCMAKE_CXX_FLAGS="-fsanitize=address"
$ make -j 32

3.run poc

$ ./avcinfo poc  
$ ./hevcinfo poc  

💥 Impact

This vulnerability is capable of Code execution

Dimitry Ishenko validated this vulnerability 7 months ago
RouX has been awarded the disclosure bounty
The fix bounty is now up for grabs
Dimitry Ishenko
7 months ago


FWIW, this should be two separate issues.

Dimitry Ishenko confirmed that a fix has been merged on 186531 21 days ago
Dimitry Ishenko has been awarded the fix bounty
Dimitry Ishenko
21 days ago


There is also commit d83f07c9b8af0e7137521105c281b7c7558f56cc which fixes issue 610

to join this conversation