ZERT Analysis of CVE-2006-4668 and Patch Description

The vulnerability in Microsoft’s Vector Graphics Rendering Engine (vgx.dll) exists due to an overzealous for() loop that copies data from a large, dynamically allocated buffer into an inadequate, fixed-size buffer on the stack. The data being copied in this routine is user-supplied as a Vector Markup Language (VML) “fill method” attribute. Legitimate values for the attribute include “none”, “any”, “linear,” and “sigma.”, [Specification draft for VML]. A vulnerable version of the library will copy the user-supplied string without checking its size, allowing a malicious document containing an overly-long fill method string to cause data to be written outside of the destination buffer’s boundaries. The ZERT patch for this vulnerability adds a check to the code before it can begin execution of the described loop. If the length of the user-supplied fill method string is greater than 512 bytes (size of destination buffer), the loop is avoided by making a jump tothe function’s cleanup instructions, and subsequently returns null...

A short instructive article (pdf) from ZERT.