Heap-based Buffer Overflow in axiomatic-systems/bento4


Reported on

May 13th 2021

✍️ Description


🕵️‍♂️ Proof of Concept

Verification steps: 1.Get the source code of Bento4 2.Compile the Bento4

$ cd Bento4
$ mkdir check_build && cd check_build
$ cmake ../ -DCMAKE_C_COMPILER=clang  -DCMAKE_CXX_COMPILER=clang++ -DCMAKE_C_FLAGS="-fsanitize=address" -DCMAKE_CXX_FLAGS="-fsanitize=address"
$ make -j 32

3.run poc

$ ./avcinfo poc  
$ ./hevcinfo poc  

💥 Impact

This vulnerability is capable of Code execution

Dimitry Ishenko validated this vulnerability a year ago
RouX has been awarded the disclosure bounty
The fix bounty is now up for grabs
Dimitry Ishenko
a year ago


FWIW, this should be two separate issues.

Dimitry Ishenko marked this as fixed in HEAD with commit 186531 a year ago
Dimitry Ishenko has been awarded the fix bounty
This vulnerability will not receive a CVE
Dimitry Ishenko
a year ago


There is also commit d83f07c9b8af0e7137521105c281b7c7558f56cc which fixes issue 610

to join this conversation