In GNOME GdkPixbuf (aka gdk-pixbuf) through 2.42.10, the ANI (Windows animated cursor) decoder encounters heap memory corruption (in ani_load_chunk in io-ani.c) when parsing chunks in a crafted .ani file. A crafted file could allow an attacker to overwrite heap metadata, leading to a denial of service or code execution attack. This occurs in gdk_pixbuf_set_option() in gdk-pixbuf.c.
[
{
"cpes": [
"cpe:2.3:a:gnome:gdkpixbuf:*:*:*:*:*:*:*:*"
],
"vendor": "gnome",
"product": "gdkpixbuf",
"versions": [
{
"status": "affected",
"version": "0",
"versionType": "custom",
"lessThanOrEqual": "2.42.10"
}
],
"defaultStatus": "unknown"
}
]