In mspack/cab.h in libmspack before 0.8alpha and cabextract before 1.8, the CAB block input buffer is one byte too small for the maximal Quantum block, leading to an out-of-bounds write.chmd_read_headers in mspack/chmd.c in libmspack before 0.8alpha accepts a filename that has #039;\\0#039; as its first or second character .