Few different stack-based buffer overflows on HTML parsing.
vulners.com/securityvulns/securityvulns:doc:12209
vulners.com/securityvulns/securityvulns:doc:12211