The COORDSYS element of an ArcPad Map file (.apm) consists of a text string which defines the projection of the ArcPad Map. This text string should not exceed 1000 characters. In versions 6.x and 7.0, ArcPad does not check the length of this text string when reading the COORDSYS element, and before copying the text string into a memory buffer. Consequently, COORDSYS text strings longer than 1000 characters are copied into an insufficiently sized memory buffer, resulting in a buffer overflow. This bug provides the potential for malicious code to be executed when opening an .apm file that contains the code in a long COORDSYS string.
The length of the COORDSYS element's text string is not checked before copying the text string into a memory buffer.