Parsing MAPI attributes in Transport Neutral Encapsulation Format (TNEF/winmail.dat).
Failure to reasonably limit record size, which is specified by user-controlled input.
Read-length-then-allocate memory use vulnerabilities are extremely common in non-OOXML Microsoft formats (and several others). There wasn’t a specific CVE associated with this vulnerability, but we did go through the code base and try to add heuristic limits any time we saw an allocation of a byte array based on a length read from the file on issue 61349: https://bz.apache.org/bugzilla/show_bug.cgi?id=61349
Although the format is not exceedingly common, it should be easy to find via fuzzing, and an arbitrary limit should be fairly easy to add