chmlib prior to 0.39 allows user-assisted remote malicious users to execute arbitrary code via a crafted page block length in a CHM file, which triggers memory corruption.
chmlib chmlib