A partially controlled memory write vulnerability exists in Mac Word file format of Oracle Outside In Technology Content Access SDK. An unchecked pointer arithmetic creates a bitwise OR on out of bounds memory address, resulting in memory corruption and likely program termination.
When parsing a Mac Word document a single-byte value from a file is used as a
max value for a counter which is used in arithmetic operations for memory access.
No size checks are performed after the arithmetic operations resulting in an
out of bound memory access. Calculated memory address is used as a destination
or byte instruction.
Although the file is identified by OIT CA SDK as FI_MACWORD5, leading to it being
parsed by libvs_word library, the vulnerability can be triggered by the example
parsepst application supplied with the SDK.
The vulnerability is present in function at address sub_B74A83AC, specifically starting in the following basic block:
.text:B74AAA7F mov eax, edi  .text:B74AAA81 shl eax, 4  .text:B74AAA84 mov esi, [esp+12Ch+arg_4] .text:B74AAA8B add eax, [esi+25Ch]  .text:B74AAA91 or byte ptr [eax+810h], 8  .text:B74AAA98
At  value in edi is a counter with upper value coming from a file being parsed. At  and  additional arithmetic is performed with the value of the counter as an argument. Final value of eax is calculated at  and at  is being used as a destination operand resulting in a bit being set at the calculated address.
No bounds checking is performed and with a high upper value of the counter out of bounds memory can be written.
While parsing the supplied testcase, out of bounds access results in a pointer previously initialized to NULL to become non-NULL leading to an invalid free() during the cleanup after the file has been parsed.
The byte used as an counter upper bound is located at offset 0x334 in the supplied testcase.
In a hypothetical situation, more interesting data structures could be located in the addresses being accessed out of bounds potentially leading to abuse.
2016-04-12 - Discovered
2016-04-19 - Initial Vendor Contact
2016-07-19 - Public Release
Discovered by Aleksandar Nikolic of Cisco Talos.