Monthly Archives: September 2017

bento4: heap-based buffer overflow in AP4_HdlrAtom::AP4_HdlrAtom (Ap4HdlrAtom.cpp)

Description: bento4 is a fast, modern, open source C++ toolkit for all your MP4 and MPEG DASH media format needs. The complete ASan output of the issue: # mp42aac $FILE out.aac ==10603==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000000af at pc 0x000000622588 … Continue reading

Posted in advisories, security | Leave a comment

bento4: NULL pointer dereference in AP4_StdcFileByteStream::ReadPartial (Ap4StdCFileByteStream.cpp)

Description: bento4 is a fast, modern, open source C++ toolkit for all your MP4 and MPEG DASH media format needs. The complete ASan output of the issue: # mp42aac $FILE out.aac ASAN:DEADLYSIGNAL ================================================================= ==18215==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 … Continue reading

Posted in advisories, security | Leave a comment

bento4: NULL pointer dereference in AP4_DataAtom::~AP4_DataAtom (Ap4MetaData.cpp)

Description: bento4 is a fast, modern, open source C++ toolkit for all your MP4 and MPEG DASH media format needs. The complete ASan output of the issue: # mp42aac $FILE out.aac ASAN:DEADLYSIGNAL ================================================================= ==11595==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 … Continue reading

Posted in advisories, security | 1 Comment

bento4: NULL pointer dereference in AP4_AtomSampleTable::GetSample (Ap4AtomSampleTable.cpp)

Description: bento4 is a fast, modern, open source C++ toolkit for all your MP4 and MPEG DASH media format needs. The complete ASan output of the issue: # mp42aac $FILE out.aac ASAN:DEADLYSIGNAL ================================================================= ==6365==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 … Continue reading

Posted in advisories, security | Leave a comment

bento4: NULL pointer dereference in AP4_Atom::SetType (Ap4Atom.h)

Description: bento4 is a fast, modern, open source C++ toolkit for all your MP4 and MPEG DASH media format needs. The complete ASan output of the issue: # mp42aac $FILE out.aac ASAN:DEADLYSIGNAL ================================================================= ==23307==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 … Continue reading

Posted in advisories, security | Leave a comment

bento4: heap-based buffer overflow in AP4_BitStream::ReadBytes (Ap4BitStream.cpp)

Description: bento4 is a fast, modern, open source C++ toolkit for all your MP4 and MPEG DASH media format needs. The complete ASan output of the issue: # aac2mp4 $FILE /tmp/out.mp4 AAC frame [000000]: size = -7, 96000 kHz, 0 … Continue reading

Posted in advisories, security | Leave a comment

mp3gain: global buffer overflow in III_i_stereo (mpglibDBL/layer3.c)

Description: mp3gain is a program to analyze and adjust MP3 files to same volume. The fuzz was done via the aacgain command-line tool which uses mp3gain which bundles an old-modified version of mpg123 called mpglibDBL. The upstream project seems to … Continue reading

Posted in advisories, security | Leave a comment

mp3gain: invalid memory write in copy_mp (mpglibDBL/interface.c)

Description: mp3gain is a program to analyze and adjust MP3 files to same volume. The fuzz was done via the aacgain command-line tool which uses mp3gain which bundles an old-modified version of mpg123 called mpglibDBL. The upstream project seems to … Continue reading

Posted in advisories, security | Leave a comment

mp3gain: stack-based buffer overflow in dct36 (mpglibDBL/layer3.c)

Description: mp3gain is a program to analyze and adjust MP3 files to same volume. The fuzz was done via the aacgain command-line tool which uses mp3gain which bundles an old-modified version of mpg123 called mpglibDBL. The upstream project seems to … Continue reading

Posted in advisories, security | Leave a comment

mp3gain: global buffer overflow in III_dequantize_sample (mpglibDBL/layer3.c)

Description: mp3gain is a program to analyze and adjust MP3 files to same volume. The fuzz was done via the aacgain command-line tool which uses mp3gain which bundles an old-modified version of mpg123 called mpglibDBL. The upstream project seems to … Continue reading

Posted in advisories, security | Leave a comment