Oracle Outside In is a suite of software development kits that provides developers with a comprehensive solution to access, transform, and control the contents of over 500 unstructured file formats.
In Outside In versions 18.104.22.168 through 8.3.7, the XPM image processing method does not properly validate the value of the chars_per_pixel length string in XPM images. The value of this string is copied to a statically allocated string buffer without validating that the string can fit into the buffer, causing a stack overflow. This vulnerability may be exploited by an attacker who can convince a user of an application that uses a vulnerable version of Outside In to open a specially crafted XMP file.
Because Outside In is an SDK, 3rd party applications distribute the libraries. Check with your application provider to make sure you are running the latest version of the affected software.
This exploit has been tested against Avantstar Quick View Plus 12.0.0 Standard Edition on Windows XP SP3 English (DEP OptIn).