GCC Productions Inc. Fade In XML parser out-of-bounds write vulnerability
GCC Productions Inc.的Fade In 4.2.0版本中存在XML解析越界写入漏洞,可能导致内存溢出。攻击者可利用恶意.fadein文件触发该漏洞。CVSSv3评分为7.8。 2025-10-28 00:0:46 Author: talosintelligence.com(查看原文) 阅读量:0 收藏
GCC Productions Inc.的Fade In 4.2.0版本中存在XML解析越界写入漏洞,可能导致内存溢出。攻击者可利用恶意.fadein文件触发该漏洞。CVSSv3评分为7.8。 2025-10-28 00:0:46 Author: talosintelligence.com(查看原文) 阅读量:0 收藏
SUMMARY
An out-of-bounds write vulnerability exists in the XML parser functionality of GCC Productions Inc. Fade In 4.2.0. A specially crafted .fadein file can lead to an out-of-bounds write. An attacker can provide a malicious file to trigger this vulnerability.
CONFIRMED VULNERABLE VERSIONS
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
GCC Productions Inc. Fade In 4.2.0
PRODUCT URLS
Fade In - https://www.fadeinpro.com/
CVSSv3 SCORE
7.8 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE
CWE-787 - Out-of-bounds Write
DETAILS
Fade In Professional Screenwriting Software (also known simply as Fade In) is software for writing screenplays in the industry standard format.
Fade In uses .fadein file format which is a standard ZIP file with embedded XML file inside.
Vulnerability exists in the XML parsing logic of the Fade In software. It expects to always encounter “builtin_index” xml property. However if it’s missing or it’s value is set to negative index software uses negative index to access and write memory. This leads to memory corruption vulnerability.
.text:00721FC0 push ebp
.text:00721FC1 mov ebp, esp
.text:00721FC3 push esi
.text:00721FC4 push edi
.text:00721FC5 mov edi, [ebp+arg_0]
.text:00721FC8 mov esi, ecx
.text:00721FCA cmp esi, edi
.text:00721FCC jz loc_7223B7
.text:00721FD2 mov eax, [edi]
.text:00721FD4 lea ecx, [esi+28h]
.text:00721FD7 mov [esi], eax ; memory corruption
.text:00721FD9 lea eax, [edi+28h]
.text:00721FDC mov dword ptr [esi+24h], 0
.text:00721FE3 cmp ecx, eax
.text:00721FE5 jz short loc_721FFA
.text:00721FE7 cmp dword ptr [eax+14h], 8
.text:00721FEB mov edx, eax
.text:00721FED jb short loc_721FF1
.text:00721FEF mov edx, [eax]
48d0.66b8): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=035a8dd8 ebx=0360fd68 ecx=88000b28 edx=01790000 esi=88000b00 edi=002fe534
eip=00681fd7 esp=002fe4fc ebp=002fe504 iopl=0 nv up ei ng nz ac pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210296
Fade_In!cJSON_malloc+0x174c37:
00681fd7 8906 mov dword ptr [esi],eax ds:002b:88000b00=????????
Crash Information
0:000> !analyze -v
Reloading current modules
...................................................
************* Symbol Loading Error Summary **************
Module name Error
Fade In The system cannot find the file specified
You can troubleshoot most symbol related issues by turning on symbol
loading diagnostics (!sym noisy) and repeating the command that caused
symbols to be loaded.
You should also verify that your symbol search path (.sympath) is correct.
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************
KEY_VALUES_STRING: 1
Key : AV.Type
Value: Write
Key : Analysis.CPU.mSec
Value: 1593
Key : Analysis.Elapsed.mSec
Value: 18966
Key : Analysis.IO.Other.Mb
Value: 0
Key : Analysis.IO.Read.Mb
Value: 1
Key : Analysis.IO.Write.Mb
Value: 38
Key : Analysis.Init.CPU.mSec
Value: 937
Key : Analysis.Init.Elapsed.mSec
Value: 24745
Key : Analysis.Memory.CommitPeak.Mb
Value: 55
Key : Analysis.Version.DbgEng
Value: 10.0.27871.1001
Key : Analysis.Version.Description
Value: 10.2505.01.02 x86fre
Key : Analysis.Version.Ext
Value: 1.2505.1.2
Key : Failure.Bucket
Value: INVALID_POINTER_WRITE_c0000005_Fade_In.exe!Unknown
Key : Failure.Exception.Code
Value: 0xc0000005
Key : Failure.Exception.IP.Address
Value: 0x681fd7
Key : Failure.Exception.IP.Module
Value: Fade_In
Key : Failure.Exception.IP.Offset
Value: 0x321fd7
Key : Failure.Hash
Value: {c45a0f7f-059c-9f69-23c6-958092d0c9aa}
Key : Failure.ProblemClass.Primary
Value: INVALID_POINTER_WRITE
Key : Timeline.OS.Boot.DeltaSec
Value: 590824
Key : Timeline.Process.Start.DeltaSec
Value: 24
Key : WER.OS.Branch
Value: vb_release
Key : WER.OS.Version
Value: 10.0.19041.1
Key : WER.Process.Version
Value: 4.2.0.1039
NTGLOBALFLAG: 0
APPLICATION_VERIFIER_FLAGS: 0
EXCEPTION_RECORD: (.exr -1)
ExceptionAddress: 00681fd7 (Fade_In!cJSON_malloc+0x00174c37)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000001
Parameter[1]: 88000b00
Attempt to write to address 88000b00
FAULTING_THREAD: 66b8
PROCESS_NAME: Fade In.exe
WRITE_ADDRESS: 88000b00
ERROR_CODE: (NTSTATUS) 0xc0000005 - Instrukcja w 0x%p odwo a a si do
pami ci pod adresem 0x%p. Pami nie mo e by %s.
EXCEPTION_CODE_STR: c0000005
EXCEPTION_PARAMETER1: 00000001
EXCEPTION_PARAMETER2: 88000b00
STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong.
002fe504 00638862 002fe534 ba8549dc 035a8dd8 Fade_In!cJSON_malloc+0x174c37
002fe8cc 006320ec 0360fd00 ba854c20 07857c88 Fade_In!cJSON_malloc+0x12b4c2
002fed30 0042c412 036106c0 ba854e24 07857c88 Fade_In!cJSON_malloc+0x124d4c
002fef34 0042d1ef 002ff208 00000000 ba8554ac Fade_In+0xcc412
002ff5bc 0054deef 0320d79c 00000000 ba8558f4 Fade_In+0xcd1ef
002ff9e4 004af4ca 0320d79c 00000000 00000000 Fade_In!cJSON_malloc+0x40b4f
002ffb54 00a955cf 002ffc84 002ffb80 00a94817 Fade_In+0x14f4ca
002ffb60 00a94817 0349aa98 004aeb90 00000000 Fade_In!cJSON_malloc+0x58822f
002ffb80 00a92772 0349aa98 017b84c8 002ffc84 Fade_In!cJSON_malloc+0x587477
002ffb98 00a937ed 01047af0 0349aa98 002ffc84 Fade_In!cJSON_malloc+0x5853d2
002ffbbc 00a925ec 002ffc84 ba855ae0 0349aa98 Fade_In!cJSON_malloc+0x58644d
002ffbf0 00a926b1 002ffc84 ba855d34 002ffc84 Fade_In!cJSON_malloc+0x58524c
002ffc24 00a9325a 002ffc84 ba855d40 002ffc84 Fade_In!cJSON_malloc+0x585311
002ffc50 008f2b97 002ffc84 0349aa98 017ddaa0 Fade_In!cJSON_malloc+0x585eba
002ffc68 0093d3a2 002ffc84 ba855dd0 03604be0 Fade_In!cJSON_malloc+0x3e57f7
002ffcc0 00b54174 00b53f8f ba855de0 03604be0 Fade_In!cJSON_malloc+0x430002
002ffcf0 00b541fa ba855c34 03604be0 0179b8e0 Fade_In!cJSON_malloc+0x646dd4
002ffd24 00a956b3 ba855c48 00000000 0000000a Fade_In!cJSON_malloc+0x646e5a
002ffd58 00b562d2 ba855c9c 00000000 0000000a Fade_In!cJSON_malloc+0x588313
002ffd8c 00adc862 01051158 017b26c0 ba855cd4 Fade_In!cJSON_malloc+0x648f32
002ffdc4 0093cd58 01051158 017b26c0 002ffdec Fade_In!cJSON_malloc+0x5cf4c2
002ffdd4 003e98c7 00360000 00000000 00000000 Fade_In!cJSON_malloc+0x42f9b8
002ffdec 00c1972c 00360000 00000000 0179519a Fade_In+0x898c7
002ffe38 76c2fcc9 0123c000 76c2fcb0 002ffea4 Fade_In!cJSON_malloc+0x70c38c
002ffe48 771182ae 0123c000 96d967fd 00000000
KERNEL32!BaseThreadInitThunk+0x19
002ffea4 7711827e ffffffff 7713932d 00000000 ntdll!__RtlUserThreadStart+0x2f
002ffeb4 00000000 00c197b0 0123c000 00000000 ntdll!_RtlUserThreadStart+0x1b
STACK_COMMAND: ~0s; .ecxr ; kb
SYMBOL_NAME: Fade_In+174c37
MODULE_NAME: Fade_In
IMAGE_NAME: Fade In.exe
FAILURE_BUCKET_ID: INVALID_POINTER_WRITE_c0000005_Fade_In.exe!Unknown
OS_VERSION: 10.0.19041.1
BUILDLAB_STR: vb_release
OSPLATFORM_TYPE: x86
OSNAME: Windows 10
IMAGE_VERSION: 4.2.0.1039
FAILURE_ID_HASH: {c45a0f7f-059c-9f69-23c6-958092d0c9aa}
Followup: MachineOwner
---------
TIMELINE
2025-08-20 - Initial Vendor Contact
2025-08-26 - Vendor Disclosure
2025-10-27 - Vendor Patch Release
2025-10-28 - Public Release
Discovered by Piotr Bania of Cisco Talos.
文章来源: https://talosintelligence.com/vulnerability_reports/TALOS-2025-2250
如有侵权请联系:admin#unsafe.sh
如有侵权请联系:admin#unsafe.sh