The FullBox::get_flags() method retrieves 24-bit flags from the underlying box header. When a malformed box truncates the field, the function still attempts to read three bytes. With insufficient data, this reads past valid memory into uninitialized or out-of-bounds memory.
*Root Cause:* - No length validation before reading flag fields. *Impact:* - Crash due to invalid memory access. - Potential leakage of heap memory values. *Evidence:* SUMMARY: AddressSanitizer: SEGV in FullBox::get_flags() _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
