NULL Pointer Dereference in axiomatic-systems/bento4

Valid

Reported on

May 12th 2021

✍️ Description

NULL pointer dereference of Ap4Descriptor.h in function GetTag

🕵️‍♂️ Proof of Concept

Verification steps： 1.Get the source code of Bento4 2.Compile the Bento4

$ cd Bento4
$ mkdir check_build && cd check_build
$ cmake ../ -DCMAKE_C_COMPILER=clang  -DCMAKE_CXX_COMPILER=clang++ -DCMAKE_C_FLAGS="-fsanitize=address" -DCMAKE_CXX_FLAGS="-fsanitize=address"
$ make -j 32

3.run mp42aac

$ ./mp42aac poc.mp4   /dev/null

💥 Impact

This vulnerability is capable of DDos

References

https://github.com/axiomatic-systems/Bento4/issues/603

Dimitry Ishenko marked this as fixed with commit 481c27 2 years ago

Dimitry Ishenko has been awarded the fix bounty

This vulnerability will not receive a CVE

to join this conversation

Dimitry Ishenko marked this as fixed with commit 481c27 2 years ago

Dimitry Ishenko has been awarded the fix bounty

This vulnerability will not receive a CVE

to join this conversation