CVE-2007-2500

Vulnerability

In GNU Gnash (GNU Flash Player) version 0.7.2, the file server/parser/sprite_definition.cpp contains a buffer overflow vulnerability. When parsing a DEFINESPRITE tag, an internal variable m_loading_frame is incremented for each SHOWFRAME tag encountered. If the number of SHOWFRAME tags exceeds m_frame_count, subsequent tag loader functions (e.g., PLACEOBJECT) call add_execute_tag, which accesses m_playlist[m_loading_frame] — an out-of-bounds array index since m_playlist only has m_frame_count elements. This results in heap memory corruption and enables an attacker to call free() on an arbitrary address [1].

Exploitation

An attacker can exploit this vulnerability by crafting a malicious SWF file containing an excessively large number of SHOWFRAME elements within a DEFINESPRITE element. No authentication or special privileges are required; the victim only needs to open the file with the affected version of Gnash. The parsing sequence triggers the buffer overflow, leading to memory corruption and potential code execution [1].

Impact

Successful exploitation allows the attacker to execute arbitrary code on the victim's system with the privileges of the user running Gnash. This compromises the confidentiality, integrity, and availability of the system [1].

Mitigation

A patch for version 0.7.2 has been provided in the referenced bug report [1]. Users should apply the patch or upgrade to a Gnash version that includes the fix. As of the publication date, no official release containing the fix has been confirmed. Until a patched version is available, the recommended workaround is to avoid opening untrusted SWF files [1].