CVE ID : CVE-2025-59734<\/p>\n
Published : Oct. 6, 2025, 8:15 a.m. | 2\u00a0hours, 17\u00a0minutes ago<\/p>\n
Description : It is possible to cause an use-after-free write in SANM decoding with a carefully crafted animation using subversion stored_frame. Stored frames can later be referenced by FTCH\u00a0chunks. For files using subversion stored_frame. Leaving ctx->has_dimensions\u00a0set to false.<\/p>\n
A subsequent chunk with type FTCH\u00a0would call process_ftch\u00a0and decode that frame obj again, adding to the top\/left values and calling process_frame_obj\u00a0again.
\nGiven that we never set ctx->have_dimensions\u00a0before, this time we set the dimensions, calling init_buffers, which can reallocate the buffer in ctx->stored_frame, freeing the previous one. However, the GetByteContext\u00a0object gb\u00a0still holds a reference to the old buffer.<\/p>\n
Finally, when the code tries to decode the frame, codecs that accept a GetByteContext\u00a0as a parameter will trigger a use-after-free read when using gb.<\/p>\n
GetByteContext\u00a0is only used for reading bytes, so at most one could read invalid data. There are no heap allocations between the free\u00a0and when the object is accessed. However, upon returning to process_ftch, the code restores\u00a0the original values for top\/left in stored_frame, writing 4 bytes to the freed data at offset 6, potentially corrupting the allocator\u2019s metadata.<\/p>\n
This issue can be triggered just by probing whether a file has the sanm format.<\/p>\n
We recommend upgrading to version 8.0 or beyond.<\/p>\n
Severity: 8.7 | HIGH<\/p>\n
Visit the link for more details, such as CVSS details, affected products, timeline, and more…\u00a0<\/p>\n","protected":false},"excerpt":{"rendered":"
CVE ID : CVE-2025-59734 Published : Oct. 6, 2025, 8:15 a.m. | 2\u00a0hours, 17\u00a0minutes ago Description : It is possible to cause an use-after-free write in SANM decoding with a carefully crafted animation using subversion stored_frame. Stored frames can later be referenced by FTCH\u00a0chunks. For files using subversion stored_frame. Leaving ctx->has_dimensions\u00a0set to false. A subsequent …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-71031","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/71031","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=71031"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/71031\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=71031"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=71031"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=71031"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}