Axiomatic Bento4 Heap-Based Buffer Overflow Vulnerability in mp42aac Component

A critical heap-based buffer overflow vulnerability has been identified in Axiomatic Bento4 versions through 1.6.0. The issue arises in the mp42aac component, specifically within the AP4_StdcFileByteStream::ReadPartial function. This vulnerability can be exploited remotely, allowing attackers to manipulate input data and cause memory corruption by overwriting parts of the heap.

Impact

Exploitation of this vulnerability leads to a heap-based buffer overflow, allowing for memory corruption that could be exploited to execute arbitrary code or cause a denial-of-service condition by crashing the application.

Reproduction

The vulnerability can be reproduced by compiling Bento4 with AddressSanitizer enabled, using Clang as the compiler. After building the application, the mp42aac tool can be used to process a crafted input file that triggers the buffer overflow. The AddressSanitizer will report the heap-buffer-overflow error, indicating that the vulnerability has been successfully exploited.