It was discovered, that libxml2 does not properly handle long XML entity names. In the xmlParseAttValueComplex() function in parser.c, when entity name is not substituted with entity value, but is sent to output unchanged, buffer used to store entity name may not be grown sufficiently in case of long entity names, resulting in a heap buffer overflow.
Issue is already fixed upstream in version 2.7.0.
Created attachment 315648 [details]
Proposed patch from Daniel Veillard (against 2.6.32)