Integer overflow in signed/unsigned conversion during .doc file parsing.
vulners.com/securityvulns/securityvulns:doc:6954
vulners.com/securityvulns/securityvulns:doc:8314