Posted by Berend-Jan Wever on Dec 19

Since November I have been releasing details on all vulnerabilities I
found that I have not released before. This is the 35th entry in the
series. This information is available in more detail on my blog at
http://blog.skylined.nl/20161219001.html. There you can find a repro
that triggered this issue in addition to the information below, it also
provides code snippets for the affected code, and a diagram that
attempts to explain the memory layout….