The HtmlHelp application (hh.exe) in Microsoft windows read a value from a .CHM file to set a length parameter. By setting this to a large value, it is possible to overwrite sections of the heap with attacker supplied values. Affected software includes: Microsoft Windows 98, 98SE, ME, Microsoft Windows NT 4.0, Microsoft Windows 2000 Service Pack 4, Microsoft Windows XP, Microsoft Windows XP Service Pack 1, Microsoft Windows Server 2003.
You can download this advisory from the following link: https://packetstormsecurity.com/files/download/33788/HtmlHelpchm.txt
Source: https://packetstormsecurity.com/files/33788/HtmlHelpchm.txt.html