Microsoft Windows .ANI file BITMAPINFOHEADER.biClrUsed bounds check missing

Quoting http://msdn.microsoft.com/en-us/library/aa930622.aspx:
typedef struct tagBITMAPINFOHEADER {
DWORD biSize;
LONG biWidth;
LONG biHeight;
WORD biPlanes;
WORD biBitCount
DWORD biCompression;
DWORD biSizeImage;
LONG biXPelsPerMeter;
LONG biYPelsPerMeter;
DWORD biClrUsed;
DWORD biClrImportant;
} BITMAPINFOHEADER;

“If the bitmap is a packed bitmap (a bitmap in which the bitmap array immediately follows the BITMAPINFO header and is referenced by a single pointer), the biClrUsed member must be either zero or the actual size of the color table.”

ANI files stores each frame of the animated cursor as a packed bitmap inside the ANI file…

Microsoft Internet Explorer 6.0/7.0 NULL pointer crashes

Two crashes caused by NULL pointer dereferences have been discovered in MSIE 6.0/7.0. These issues do not affect MSIE 8.0…

Memory corruption when loading/unloading Adobe objects through EMBED tag in Firefox

(a.k.a. CVE-2009-2983)

Adobe fixed a bug in various COM objects. Loading and unloading these objects in a webpage in Firefox allows memory corruption, which can be exploited to execute arbitrary code…

MSIE Content-Encoding: deflate memory corruption vulnerability

(a.k.a. MSRC 8769, MS09-054, CVE-2009-1547, “Data Stream Header Corruption Vulnerability”)

Microsoft fixed a bug in Internet Explorer’s “Content-Encoding:deflate” implementation…