Axiomatic Bento4 Resource Allocation Vulnerability in Mp4Decrypt Component

A resource allocation vulnerability has been identified in Axiomatic Bento4 versions through 1.6.0-641, specifically within the Mp4Decrypt component. The issue arises in the function AP4_DataBuffer::SetDataSize, located in Mp4Decrypt.cpp. This vulnerability allows for remote exploitation, leading to a denial-of-service condition by causing the application to request an excessive amount of memory, approximately 4 GB, which is unsustainable and results in a crash.

Impact

Exploitation of this vulnerability causes an unhandled memory allocation exception, leading to a crash of the application. This behavior is consistent with a denial-of-service condition, where the application is terminated due to the inability to handle the memory request.

Reproduction

The vulnerability can be reproduced by building the mp4decrypt application from the Bento4 source code, specifically from the commit 0d86d53. After compiling the application with the default configuration, it can be executed with the --show-progress option, followed by a malformed MP4 file that triggers the vulnerability. The application will crash almost immediately, displaying an error message indicating that a memory allocation exception was thrown, which is a sign of the denial-of-service condition.