#VU36083 Out-of-bounds write in Bento4 - CVE-2019-9544
Published: March 1, 2019 / Updated: August 8, 2020
Vulnerability identifier: #VU36083
Vulnerability risk: High
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2019-9544
CWE-ID: CWE-787
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Bento4
Bento4
Software vendor:
axiomatic-systems
axiomatic-systems
Description
The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
An issue was discovered in Bento4 1.5.1-628. An out of bounds write occurs in AP4_CttsTableEntry::AP4_CttsTableEntry() located in Core/Ap4Array.h. It can be triggered by sending a crafted file to (for example) the mp42hls binary. It allows an attacker to cause Denial of Service (Segmentation fault) or possibly have unspecified other impact.
Remediation
Install update from vendor's website.