CVE-2023-29574: 
NixOS vulnerability analysis and mitigation

Bento4 v1.6.0-639 was discovered to contain an out-of-memory bug in the mp42avc component. The vulnerability was assigned CVE-2023-29574 and was disclosed on April 12, 2023. The issue affects the memory allocation functionality in the software's mp42avc component (NVD).

The vulnerability manifests as an out-of-memory condition in the operator new(unsigned long) function when attempting to allocate 0x400000010 bytes. The issue occurs in the AP4_Array::EnsureCapacity function within Ap4Array.h, specifically during the processing of MP4 files. The vulnerability has been assigned a CVSS v3.1 base score of 5.5 (Medium) with vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H (NVD).

When exploited, this vulnerability can lead to a denial of service condition through memory exhaustion. The issue occurs when processing specially crafted MP4 files, which can cause the application to abort due to failed memory allocation attempts (GitHub Issue).

While specific patches were not detailed in the available sources, users can set the allocatormayreturn_null=1 parameter as a temporary workaround to prevent application crashes, though this does not address the underlying vulnerability (GitHub Issue).