iDefense Security Advisory 04.17.08 - Remote exploitation of an integer overflow vulnerability in OpenOffice, as included in various vendors' operating system distributions, allows attackers to execute arbitrary code with the privileges of the logged in user. The vulnerability exists within the code responsible for parsing the EMR_STRETCHBLT record in an EMF file. This code reads in two 32-bit integers from the file, and then uses them in an arithmetic operation that calculates the number of bytes to allocate for a dynamic buffer. This calculation can overflow, resulting in an insufficiently sized buffer being allocated. Subsequently, this buffer is overflowed with data from the file. iDefense confirmed the existence of this vulnerability in OpenOffice version 2.3. Other versions may also be affected.
eaae57c05bcec835031fde7ebd775e2f4c0fa5c780568b5735acc91a31609cbb