The quicktime_match_32 function in util.c in libquicktime 1.2.4 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted mp4 file.
The quicktime_read_moov function in moov.c in libquicktime version 1.2.4 can cause a denial of service (infinite loop and CPU consumption) via a crafted mp4 file.