English

Bug: Buffer overflow when COORDSYS element in ArcPad Map file (.apm) has more than 1000 characters

Description

The COORDSYS element of an ArcPad Map file (.apm) consists of a text string which defines the projection of the ArcPad Map. This text string should not exceed 1000 characters. In versions 6.x and 7.0, ArcPad does not check the length of this text string when reading the COORDSYS element, and before copying the text string into a memory buffer. Consequently, COORDSYS text strings longer than 1000 characters are copied into an insufficiently sized memory buffer, resulting in a buffer overflow. This bug provides the potential for malicious code to be executed when opening an .apm file that contains the code in a long COORDSYS string.

Cause

The length of the COORDSYS element's text string is not checked before copying the text string into a memory buffer.

Workaround

Exercise caution when opening ArcPad Map files from unknown sources.

Like many common file types, ArcPad Map files (.apm), ArcPad Layer files (.apl), and ArcPad Applet files (.apa) can all contain embedded scripts. These embedded scripts also provide the potential to execute malicious code when the file is opened by ArcPad. Caution should always be exercised when opening any file that can contain an embedded script - especially files that are received from anyone but a trusted source.

A service pack for ArcPad 7.0 will be released in April, 2006. This service pack includes a fix which discards any characters that exceed the 1000 character limit for the COORDSYS element.