Out-of-bounds memory access vulnerability when parsing unclosed HTMl comment was found in libxml2. By entering a unclosed html comment such as <!-- the libxml2 parser didn't stop parsing at the end of the buffer, causing random memory to be included in the parsed comment.
CVE request:
http://seclists.org/oss-sec/2015/q3/540
Upstream was notified, but patch is not released yet. However, a patch for nokogiri, which uses embedded libxml2, was proposed:
https://github.com/Shopify/nokogiri/compare/1b1fcad8bd64ab70256666c38d2c998e86ade8c0...master