Multiple heap-based buffer overflows in WordPerfect Document importer/exporter (libwpd) before 0.8.9 allow user-assisted remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted WordPerfect file in which values to loop counters are not properly handled in the (1) WP3TablesGroup::_readContents and (2) WP5DefinitionGroup_DefineTablesSubGroup::WP5DefinitionGroup_DefineTablesSubGroup functions. NOTE: the integer overflow has been split into CVE-2007-1466.
Vector
NETWORK
Complexity
MEDIUM
Authentication
NONE
Confidentiality
COMPLETE
Integrity
COMPLETE
Availability
COMPLETE
Improper Restriction of Operations within the Bounds of a Memory Buffer (ID 119)
Related CAPEC 11
Buffer Overflow via Environment Variables (CAPEC-ID 10)
Overflow Buffers (CAPEC-ID 100)
Client-side Injection-induced Buffer Overflow (CAPEC-ID 14)
Filter Failure through Buffer Overflow (CAPEC-ID 24)
MIME Conversion (CAPEC-ID 42)
Overflow Binary Resource File (CAPEC-ID 44)
Buffer Overflow via Symbolic Links (CAPEC-ID 45)
Overflow Variables and Tags (CAPEC-ID 46)
Buffer Overflow via Parameter Expansion (CAPEC-ID 47)
Buffer Overflow in an API Call (CAPEC-ID 8)
Buffer Overflow in Local Command-Line Utilities (CAPEC-ID 9)