CCExtractor Use-After-Free Vulnerability in MP4 Processing Function

A use-after-free vulnerability has been identified in CCExtractor versions through 0.96.5. The issue arises in the 'processmp4' function within 'src/lib_ccx/mp4.c', where improper memory management leads to accessing freed memory. This vulnerability requires local access to exploit and has been publicly disclosed along with a proof-of-concept exploit.

Impact

Exploitation of this vulnerability causes a segmentation fault, indicating a crash due to invalid memory access. However, the use-after-free nature of the vulnerability could potentially be exploited to execute arbitrary code, a common risk associated with such memory corruption issues.

Reproduction

The vulnerability can be reproduced by building CCExtractor with release optimization and AddressSanitizer (ASan) enabled. After compiling the program, it can be run with a specific input file that triggers the use-after-free condition, causing a segmentation fault. This ASan report will show the memory access error, confirming the vulnerability.

Remediation

Users are advised to upgrade to CCExtractor version 0.96.6, which addresses this vulnerability. The latest version can be downloaded from the CCExtractor GitHub releases page.