CVE-2022-35090

Vulnerability

A heap-buffer-overflow vulnerability exists in SWFTools commit 772e55a2 in the gif2swf utility. The bug resides in the MovieAddFrame function in gif2swf.c at line 328, where a memcpy operation writes beyond the allocated heap buffer. The overflow occurs when processing a specially crafted GIF file, leading to a write of 8 bytes at a location 4 bytes past the end of a 992-byte region allocated via malloc at line 310. [1]

Exploitation

An attacker can exploit this vulnerability by providing a malicious GIF file to the gif2swf tool. No authentication or special privileges are required; the attacker only needs to convince a user or automated process to run ./gif2swf -o /dev/null [malicious.gif]. The crash sample provided in the issue reproduces the heap-buffer-overflow reliably. [1]

Impact

Successful exploitation results in a heap-buffer-overflow, which can cause memory corruption. This may lead to a denial of service (crash) or, under certain conditions, arbitrary code execution in the context of the gif2swf process. The exact impact depends on the memory layout and compiler defenses. [1]

Mitigation

As of the publication date (2022-09-20), no official patch has been released by the SWFTools project. The issue remains open. Users are advised to avoid processing untrusted GIF files with gif2swf until a fix is available. If possible, consider using alternative tools for GIF-to-SWF conversion. [1]