There is a critical flaw that is being reported in the Window's version of Safari that can be trigged by a invalid pointer function call. For the flaw to be affective POPUP blocker has to be disabled, currently Safari install with POPUP blocker enabled. In addition based on the code posted I was unable to cause either an application DOS or arbitary code execution. The affect cause a popup window to open with a large String ('AAA...'), you will not see the OK and Cancel button since they are at the very end of the long String. Hitting return will clear the window, our payload would not execute using the latest MacOSX OS and Safari.  

Comments from the proof of concept code indicates platform tested, os+local and credit tag.

• Bug discovered by Krystian Kloskowski
• Tested on: Apple Safari 4.0.5 / XP SP2 Polish
• Shellcode: Windows Execute Command (calc)//* Our version osx/x86/exec - 44 bytes (BLOCK BOX)
• Local: Yes
• Remote: Yes (POPUP must be enabled [Ctrl+Shift+K])