[VIM] windows clarity

security curmudgeon jericho at attrition.org
Thu May 12 12:14:36 EDT 2005


links to MS05-002


links to CAN-2004-1049 and CAN-2004-1305


links to MS05-002


MS05-002 doesn't mention CAN-2005-0416 though. does anyone know why? 
looking at the two CVE entries that seem to overlap:

Integer overflow in the LoadImage API of the USER32 Lib for Microsoft 
Windows allows remote attackers to execute arbitrary code via a .bmp, 
.cur, .ico or .ani file with a large image size field, which leads to a 
buffer overflow, aka the "Cursor and Icon Format Handling Vulnerability."

The Windows Animated Cursor (ANI) capability in Windows NT, Windows 2000 
through SP4, Windows XP through SP1, and Windows 2003 allows remote 
attackers to execute arbitrary code via the AnimationHeaderBlock length 
field, which leads to a stack-based buffer overflow.

Integer overflow vs stack-based overflow. image size field vs 
AnimationHeaderBlock field. are these really two distinct vulns, or 
fundamentally the same library underneath?

More information about the VIM mailing list