Buffer overflow in Microsoft Office XP allows remote attackers to execute arbitrary code via a link with a URL file location containing long inputs after (1) "\\\%00 (null byte) in .doc filenames or (2) "\\\%0a" (carriage return) in .rtf filenames.