I'm sorry but again, I dont see how an 4 byte OOB write will realistically lead to RCE without the custom buffer in the POC that explicitly puts a function pointer directly where the overflow happens, then invokes it.

I'm happy to be shown what I'm missing but this seems like a memory corruption bug, not RCE, and if it was feasible w/o the custom buffer then why not provide that as the example? In the real world, a ffmpeg invocation would use the default buffer handler that will use padding/alignment/etc that makes the heap even less predictable, and incredibly unlikely to have a function pointer exactly following the frame buffer that will deterministically be invoked by a process placing it there?

It seems very far fetched.