Integer overflow, heap buffer overflow.
vulners.com/securityvulns/securityvulns:doc:22300
vulners.com/securityvulns/securityvulns:doc:22310