CVE-2025-59729

06.10.2025, 08:15

When parsing the header for a DHAV file, there's an integer underflow in offset calculation that leads to reading the duration from before the start of the allocated buffer.

If we load a DHAV file that is larger than MAX_DURATION_BUFFER_SIZEbytes (0x100000) for example 0x101000 bytes, then at [0] we have size = 0x101000. At [1] we have end_buffer_size = 0x100000, and at [2] we have end_buffer_pos = 0x1000.

The loop then scans backwards through the buffer looking for the dhavtag; when it is found, we'll calculate end_posbased on a 32-bit offset read from the buffer.

There is subsequently a check [3] that end_posis within the section of the file that has been copied into end_buffer, but it only correctly handles the cases where end_posis before the start of the fileor after the section copied into end_buffer, and not the case where end_posis within the the file, but before the section copied into end_buffer. If we provide such an offset, (end_pos - end_buffer_pos)can underflow, resulting in the subsequent access at [4] occurring before the beginning of the allocation.

We recommend upgrading to version 8.0 or beyond.

Provider	Type	Base Score	Vector
NIST	NIST	UNKNOWN	---
Google	CNA	---	---
CISA-ADP	ADP	---	---

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: 5%

Common Weakness Enumeration

CWE-787 - Out-of-bounds Write
The software writes data past the end, or before the beginning, of the intended buffer.

References

https://issuetracker.google.com/433513232