Multiple vulnerabilities have been reported in Oracle Outside In Technology, which can be exploited by malicious people to cause a DoS (Denial of Service) and compromise a vulnerable system.

1) An error in the Paradox database stream filter (vspdx.dll) when processing the field type within a field description array can be exploited to reference unallocated memory via an unsupported type value (e.g. 14).

2) An error in the Paradox database stream filter (vspdx.dll) when processing the field names can be exploited to cause a heap-based buffer overflow via a specially crafted "number of fields" value in the table header.

3) A signedness error when parsing the size field of a LIST record within RIFF files can be exploited via a specially crafted file.

Successful exploitation of the vulnerabilities #2 and #3 may allow execution of arbitrary code.

The vulnerabilities are reported in versions 8.3.7 and 8.4 and the vulnerabilities #1 and #2 are confirmed in version 8.3.7 (w/ patch 14153713).

Solution
Apply updates (please see the vendor's advisory for details).
Further details available to Secunia VIM customers

Provided and/or discovered by
1, 2) Dmitriy Pletnev, Secunia Research.
3) An anonymous person via ZDI

Changelog
Further details available to Secunia VIM customers

Original Advisory
Secunia Research:
http://secunia.com/secunia_research/2013-1/
http://secunia.com/secunia_research/2013-2/

Oracle:
http://www.oracle.com/technetwork/topics/security/cpujan2013-1515902.html#AppendixFMW

ZDI-13-001:
http://www.zerodayinitiative.com/advisories/ZDI-13-001/

Other references
Further details available to Secunia VIM customers

Deep Links
Links available to Secunia VIM customers