The TNEFFillMapi function in lib/ytnef.c in libytnef0 in ytnef through 1.9.2does not ensure a nonzero count value before a certain memory allocation,which allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted tnef file.