Insuficient message length check leads to heap corruption.
vulners.com/securityvulns/securityvulns:doc:4378