Description
The function mp4v2::impl::MP4Track::FinishSdtp() in mp4track.cpp in libmp4v2 2.1.0 mishandles compatibleBrand while processing a crafted mp4 file, which leads to a heap-based buffer over-read, causing denial of service.
References (2)
Core 2
Core References
Issue Tracking, Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1629451
Release Notes
https://github.com/enzo1982/mp4v2/releases/tag/v2.1.0
Scores
CVSS v3
6.5
EPSS
0.0024
EPSS Percentile
46.8%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Details
CWE
CWE-125
Status
published
Products (1)
mp4v2_project/mp4v2
2.1.0
Published
Sep 20, 2018
Tracked Since
Feb 18, 2026