In src/libpst.c:775, the extended attribute parser reads a 4-byte length (tint) from headerbuffer[xattrib.extended] and copies tint bytes from the buffer via memcpy. The guard only checks xattrib.extended < hsize, not that xattrib.extended + 4 + tint <= hsize.
An attacker can set xattrib.extended = hsize - 8 and tint = 65536, causing a 65,280-byte heap over-read.
Triggered on file open during MAPI attribute mapping.
Fix: add bounds check before the memcpy:
if (xattrib.extended + sizeof(tint) + tint > hsize) break;
In
src/libpst.c:775, the extended attribute parser reads a 4-byte length (tint) fromheaderbuffer[xattrib.extended]and copiestintbytes from the buffer viamemcpy. The guard only checksxattrib.extended < hsize, not thatxattrib.extended + 4 + tint <= hsize.An attacker can set
xattrib.extended = hsize - 8andtint = 65536, causing a 65,280-byte heap over-read.Triggered on file open during MAPI attribute mapping.
Fix: add bounds check before the memcpy: