Integer overflow on negative HTTP POST Content-Length: paramters leads to 4-bytes heap overflow.
vulners.com/securityvulns/securityvulns:doc:11027
vulners.com/securityvulns/securityvulns:doc:11028