Back in 2002, a very interesting vulnerability was found and fixed in the Apache web server. Relating to a bug in chunked encoding handing, the vulnerability caused a memcpy() call with a negative length with the destination on the stack. Of course, many parties were quick to proclaim the vulnerability unexploitable beyond a denial of service. After all, a negative length to memcpy() represents a huge copy which is surely guaranteed to hit an unmapped page and terminate the process. So it was a surprise when a working remote code execution exploit turned up for FreeBSD and other BSD variants, due to a quirk in their memcpy() implementations!
more here......http://googleprojectzero.blogspot.ca/2015/03/taming-wild-copy-parallel-thread.html
more here......http://googleprojectzero.blogspot.ca/2015/03/taming-wild-copy-parallel-thread.html