CVE-2025-59734 in FFmpeginfo

Summary

by MITRE • 10/06/2025

It is possible to cause an use-after-free write in SANM decoding with a carefully crafted animation using subversion <2.

When a STOR chunk is present, a subsequent FOBJ chunk will be saved in ctx->stored_frame. Stored frames can later be referenced by FTCH chunks. For files using subversion < 2, the undecoded frame is stored, and decoded again when the FTCH chunks are parsed. However, in process_frame_obj if the frame has an invalid size, there’s an early return, with a value of 0. 

This causes the code in decode_frame to still store the raw frame buffer into ctx->stored_frame. Leaving ctx->has_dimensions set to false.

A subsequent chunk with type FTCH would call process_ftch and decode that frame obj again, adding to the top/left values and calling process_frame_obj again. Given that we never set ctx->have_dimensions before, this time we set the dimensions, calling init_buffers, which can reallocate the buffer in ctx->stored_frame, freeing the previous one. However, the GetByteContext object gb still holds a reference to the old buffer.




Finally, when the code tries to decode the frame, codecs that accept a GetByteContext as a parameter will trigger a use-after-free read when using gb.

GetByteContext is only used for reading bytes, so at most one could read invalid data. There are no heap allocations between the free and when the object is accessed. However, upon returning to process_ftch, the code restores the original values for top/left in stored_frame, writing 4 bytes to the freed data at offset 6, potentially corrupting the allocator’s metadata.

This issue can be triggered just by probing whether a file has the sanm format.







We recommend upgrading to version 8.0 or beyond.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 06/21/2026

The vulnerability described in CVE-2025-59734 represents a complex use-after-free condition within the SANM (Savage Animation) file format decoder, specifically affecting versions prior to subversion 2. This flaw stems from improper handling of frame object decoding and memory management during the processing of animation files. The vulnerability manifests when a STOR chunk is followed by an FOBJ chunk, which gets stored in the context structure at ctx->stored_frame. The issue becomes apparent when processing files with subversion less than 2, where frames are stored in an undecoded state and later decoded upon encountering FTCH chunks. When the initial frame processing encounters an invalid size, an early return occurs with a value of zero, yet the raw frame buffer is still stored in ctx->stored_frame while ctx->has_dimensions remains unset to false. This creates a scenario where subsequent FTCH chunks trigger the decoding process again, leading to a second call to process_frame_obj that sets the dimensions and initializes buffers through init_buffers. The critical aspect of this vulnerability lies in the reallocation of ctx->stored_frame, which frees the previous buffer while leaving the GetByteContext object gb holding a reference to the now-freed memory region. This fundamental mismatch between memory deallocation and object reference creates the conditions for a use-after-free condition, where codecs that accept GetByteContext parameters will trigger memory access violations when attempting to read from the freed buffer. The vulnerability is particularly concerning because it can be exploited through simple file probing, requiring no complex payload crafting, making it a significant threat to applications that process SANM format files. The technical implementation involves a specific memory access pattern where the code attempts to write 4 bytes to offset 6 of the freed memory region during the restoration of top/left values in process_ftch, potentially corrupting heap allocator metadata. This type of vulnerability aligns with CWE-416, which addresses use-after-free conditions, and falls within the ATT&CK technique T1203, concerning exploitation of memory corruption vulnerabilities. The remediation strategy focuses on upgrading to version 8.0 or later, which presumably addresses the memory management inconsistencies in frame object handling and ensures proper deallocation and reference management during the decoding process. The vulnerability demonstrates how seemingly minor inconsistencies in conditional logic and memory management can lead to critical security flaws, particularly in multimedia format decoders that handle complex frame structures and buffer management scenarios.

Responsible

Google

Reservation

09/19/2025

Disclosure

10/06/2025

Moderation

accepted

CPE

ready

EPSS

0.00167

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!