Re: CVE request: ppthtml heap-based buffer overflow

[Murray McAllister <mmcallis () redhat com>]

On 11/14/2013 03:11 PM, Murray McAllister wrote:
> Morning,
>
> A heap-based buffer overflow flaw was reported in ppthtml:
>
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=729279
>
> Looking in xlhtml-0.5-15.fc19.src.rpm, I think the root cause of the
> problem is in __OLEdecode() with an under allocation here:
>
> 163   BDepot = (U8 *) malloc (0x0200 * (num_bbd_blocks + num_xbbd_blocks));

Setting num_bbd_blocks and num_xbbd_blocks both to "1" also leads 
similar problems.