Partially controlled memory write vulnerability exists in Mac Works Database file format parsing code of Oracle Outside In Technology Content Access SDK. An unchecked pointer arithmetic causes an out of bounds memory write which can lead to denial of service or possibly code execution.
When parsing a Mac Works Database document memory is being written in a loop using a counter in destination address calculations. No size checks are performed after the arithmetic operations resulting in a partially controlled 2 byte overwrite.
Although the file is identified by as a MWKD document, leading to it being
parsed by libvs_mwkd library, the vulnerability can be triggered by the example
parsepst application supplied with the SDK.
Technical information below:
Vulnerability is present in
VwStreamReadRecord function in libvs_mwkd.so library
(with image base at 0xB7F89000), specifically starting in the following basic block:
.text:B7F8ACF6 movzx eax, [esp+3Ch+var_12] .text:B7F8ACFB mov edx, [edi+31Ch] .text:B7F8AD01 mov ecx, ebp .text:B7F8AD03 mov [edx+eax], cl .text:B7F8AD06 movzx eax, word ptr [esp+3Ch+var_10]  .text:B7F8AD0B movzx esi, [esp+3Ch+var_12]  .text:B7F8AD10 mov [edi+eax*2+298h], si  .text:B7F8AD18 add word ptr [esp+3Ch+var_10], 1 .text:B7F8AD1E add esi, 1 .text:B7F8AD21 mov [esp+3Ch+var_12], si .text:B7F8AD26 cmp bp, 0F9h .text:B7F8AD2B ja loc_B7F8AE1A .text:B7F8AD31 test bp, bp .text:B7F8AD34 jz loc_B7F8ADEB .text:B7F8AD3A mov [esp+3Ch+var_1A], 0 .text:B7F8AD41 jmp short loc_B7F8AD71
At  and  pre-calculated values of
esi are read from the stack
and zero extended. At 
eax is being used in destination address calculation
and the value of
si is being written there. Initial values of
eax serving as a counter. No bounds checking is in place
resulting in a possible 2 byte out of bounds overwrite.
In the supplied testcase, last seven bytes can be used to influence the
written value. The supplied testcase crashes the
parsepst program upon
free() on an invalid pointer. The overwritten pointer is allocated in
VStreamOpen function and it's least significant byte is later overwritten
as a result of out of bounds memory write.
A specially crafted file could be used to shift the to-be-freed pointer to
an attacker controlled area which can then be used to subvert the
and achieve code execution.
2016-04-12 - Discovered
2016-04-29 - Initial Vendor Communication
2016-07-19 - Public Release
Discovered by Aleksandar Nikolic of Cisco Talos.