ANI vulnerability Analysis

All versions of Windows support animated mouse pointers and a function from USER32.DLL load animated mouse pointer. An .ani file is based on chunks and each chunks start with 4 byte ID word and a DWORD have chunk lenghth. One of the chunks is "anih" and contains 36 bytes. The vulnerability is here ... code doesn't check the length of the "anih" long field before using it. Here are some teams that have published their analysis of the ANI vulnerability:

Windows Animated Cursor Stack Overflow Vulnerability

Analysis of ANI “anih” Header Stack Overflow Vulnerability

Hisspasec analysis