Richard Howe

**Name of the Vulnerable Software and Affected Versions** libxls versions prior to 1.6.4 **Description** The OLE container parser contains an issue where memory allocated for the Master Sector Allocation Table (MSAT) in the `read MSAT()` function is not fully initialized before being used by the `ole2 validate sector chain()` function. This can lead to application crashes or potential information disclosure when the software processes a specially crafted XLS file. **Recommendations** Update to a version newer than 1.6.3.

**Name of the Vulnerable Software and Affected Versions** libxls version 1.6.3 **Description** A use-of-uninitialized memory issue occurs when parsing malformed XLS files. The flaw is triggered by uninitialized heap memory originating from the OLE layer `ole2 read` and is reachable via the `xls parseWorkBook()` function. This can result in undefined behavior, incorrect parsing logic, or potential information disclosure. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.