CVE-2018-20659

Name of the Vulnerable Software and Affected Versions: Bento4 version 1.5.1-627

Description: An issue was discovered in the AP4 StcoAtom class, which is located in Core/Ap4StcoAtom.cpp. This issue occurs when the AP4 AtomFactory::CreateAtomFromStream function in Core/Ap4AtomFactory.cpp calls the AP4 StcoAtom class, resulting in an attempted excessive memory allocation. This has been demonstrated using the mp42hls tool.

Recommendations: For Bento4 version 1.5.1-627, consider restricting the use of the AP4 StcoAtom class until a patch is available. As a temporary workaround, avoid using the AP4 AtomFactory::CreateAtomFromStream function in Core/Ap4AtomFactory.cpp to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.