A remote code execution vulnerability exists in the way that Microsoft Word handles specially crafted Word files. The vulnerability could allow remote code execution if a user opens a specially crafted Word file that includes a malformed record value. The risk is MEDIUM. THis vulnerability could allow remote code execution if a user opens a specially crafted Word file that includes a malformed record value. An attacker who successfully exploited this vulnerability could take complete control of an affected system.
DOC(4) Kernel Interfaces Manual DOC(4)NAME
DOC - (Pilot standard text document) file format
SYNOPSIS
struct doc_record0 { /* 16 bytes total */
Word version; /* 1 = plain text, 2 = compressed text */
Word reserved1;
DWord doc_size; /* uncompressed size in bytes */
Word num_recs; /* not counting itself */
Word rec_size; /* in bytes: usually 4096 (4K) */
DWord reserved2;
};
DESCRIPTION
The Doc file format is the standard text document format used by all models of the Palm Pilot. A Doc file is a pdb(4) file: this manual
page describes only those aspects specific to Doc files.
A Doc file consists of 0 to num_recs records; record 0 is the header for the document. (This header is distinct from the pdb(4) header.)
The remaining records contain text, either plain or compressed depending upon version.
Word Sizes
In the synopsis above, the types ``Word'' and ``DWord'' are used just as in the Pilot headers. The type ``Word'' is 16 bits; the type
``DWord'' is 32 bits. Both are in big-endian format.
Compression Format
A character ``c'' in a compressed record is in one of four classes:
01-08 Copy ``c'' bytes
00,09-7F Self
80-BF Sequence
C0-FF A space plus the ASCII character ``c ^ 0x80''
SEE ALSO txt2pdbdoc(1), html2pdbtxt(1), pdbtxt2html(1), pdb(4)
Christopher Bey and Kathleen Dupre. Palm File Format Specification, Document Number 3008-003, Palm, Inc., May 16, 2000.
AUTHOR
Paul J. Lucas <pauljlucas@mac.com>
txt2pdbdoc January 21, 2005 DOC(4)