Pikaqqq

Name of the Vulnerable Software and Affected Versions: Bento4 version 1.5.1-627 Description: An issue was discovered in the AP4 StcoAtom class, which is located in Core/Ap4StcoAtom.cpp. This issue occurs when the AP4 AtomFactory::CreateAtomFromStream function in Core/Ap4AtomFactory.cpp calls the AP4 StcoAtom class, resulting in an attempted excessive memory allocation. This has been demonstrated using the mp42hls tool. Recommendations: For Bento4 version 1.5.1-627, consider restricting the use of the AP4 StcoAtom class until a patch is available. As a temporary workaround, avoid using the AP4 AtomFactory::CreateAtomFromStream function in Core/Ap4AtomFactory.cpp to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Bento4 version 1.5.1-627 **Description** An issue was discovered in the AP4 DataBuffer class when called from AP4 HvccAtom::Create in Core/Ap4HvccAtom.cpp, where there is an attempt at excessive memory allocation. **Recommendations** For Bento4 version 1.5.1-627, consider restricting the use of the AP4 DataBuffer class until a patch is available. As a temporary workaround, review the memory allocation in the AP4 HvccAtom::Create function to prevent excessive allocation. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Bento4 version 1.5.1-627 **Description** A heap-based buffer over-read issue was discovered in the AP4 AvccAtom::Create function in Core/Ap4AvccAtom.cpp. This issue is demonstrated by the mp42hls tool. **Recommendations** For Bento4 version 1.5.1-627, consider restricting access to the AP4 AvccAtom::Create function in Core/Ap4AvccAtom.cpp until a patch is available. As a temporary workaround, avoid using the mp42hls tool with this version of Bento4.

**Name of the Vulnerable Software and Affected Versions** Bento4 version 1.5.1-627 **Description** A memory leak issue was found in the AP4 StdcFileByteStream::Create function, located in System/StdC/Ap4StdCFileByteStream.cpp. This issue is demonstrated by the mp42hls tool. **Recommendations** For Bento4 version 1.5.1-627, consider restricting access to the AP4 StdcFileByteStream::Create function until a patch is available. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Bento4 version 1.5.1-627 **Description** A memory leak issue was found in the `AP4 DescriptorFactory::CreateDescriptorFromStream` function, located in `Core/Ap4DescriptorFactory.cpp`. This issue is demonstrated by the `mp42hls` tool. **Recommendations** For Bento4 version 1.5.1-627, consider applying a patch or fix to address the memory leak in the `AP4 DescriptorFactory::CreateDescriptorFromStream` function. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Bento4 version 1.5.1-627 **Description** An issue was discovered that allows attackers to trigger an attempted excessive memory allocation. This is related to the `AP4 DataBuffer::SetDataSize` and `AP4 DataBuffer::ReallocateBuffer` functions in Core/Ap4DataBuffer.cpp, which are used by the `AP4 Sample::ReadData` function in Core/Ap4Sample.cpp. **Recommendations** For Bento4 version 1.5.1-627, consider restricting the use of the `AP4 Sample::ReadData` function until a patch is available to prevent excessive memory allocation attempts.

**Name of the Vulnerable Software and Affected Versions** Bento4 version 1.5.1-627 **Description** An issue was discovered in the EnsureCapacity function in Core/Ap4Array.h. It allows crafted MP4 input to trigger an attempt at excessive memory allocation. **Recommendations** For Bento4 version 1.5.1-627, consider applying a patch or fix to prevent excessive memory allocation in the EnsureCapacity function. At the moment, there is no information about a newer version that contains a fix for this issue.