This vulnerability causes programs that use libxml2, such as PHP, to crash.
This vulnerability exists because of an incomplete fix for CVE-2016-1839.
libxml2 20904-GITv2.9.4-16-g0741801 is vulnerable to a heap-based buffer over-read in the xml Dict Compute Fast Key function in dict.c.
This vulnerability exists because of an incomplete fix for libxml98.
Exploitation is not achievable in all cases because it requires at least one of the following: (1) the attacker can prevent the victim from receiving any e-mail messages for an extended period of time (such as 5 days), (2) the victim's e-mail system sends an autoresponse containing the original message, or (3) the victim manually composes a reply containing the original message.
Heartland Payment Systems Payment Gateway PHP SDK hps/heartland-php v2.8.17 is vulnerable to a reflected XSS in examples/consumer-authentication/via the URI, as demonstrated by the cavv parameter.
At the end of the routine, the function may strcat two more characters without checking whether the current strlen(buf) 2 A buffer overflow was discovered in libxml2 20904-GITv2.9.4-16-g0741801.
The function xml Snprintf Element Content in valid.c is supposed to recursively dump the element content definition into a char buffer 'buf' of size 'size'. If the content-name actually fits also uses 'len' rather than the updated buffer length strlen(buf).
Affected releases are Juniper Networks Junos OS: 12.1X46 versions prior to 12.1X46-D67; 12.3 versions prior to 12.3R12-S5; 12.3X48 versions prior to 12.3X48-D35; 14.1 versions prior to 14.1R8-S5, 14.1R9; 14.1X53 versions prior to 14.1X53-D44, 14.1X53-D50; 14.2 versions prior to 14.2R7-S7, 14.2R8; 15.1 versions prior to 15.1R3; 15.1X49 versions prior to 15.1X49-D30; 15.1X53 versions prior to 15.1X53-D70.This allows us to write about "size" many bytes beyond the allocated memory.The zend_string_extend function in Zend/zend_string.h in PHP through 7.1.5 does not prevent changes to string objects that result in a negative length, which allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact by leveraging a script's use of .= with a long string.A malformed regular expression could result in 4 bytes being written off the end of a stack buffer of expand_case_fold_string() during the call to onigenc_unicode_get_case_fold_codes_by_str(), a typical stack buffer overflow.A stack out-of-bounds read occurs in match_at() during regular expression searching.