idn2toascii_4i in lib/lookup.c in GNU libidn2 before 2.1.1 has a heap-based buffer overflow via a long domain string.
{ "vanir_signatures": [ { "id": "CVE-2019-18224-d1b63e78", "signature_type": "Function", "digest": { "function_hash": "214985951242038317322025943762415417586", "length": 701.0 }, "source": "https://github.com/libidn/libidn2/commit/e4d1558aa2c1c04a05066ee8600f37603890ba8c", "target": { "file": "lib/lookup.c", "function": "idn2_to_ascii_4i" }, "deprecated": false, "signature_version": "v1" }, { "id": "CVE-2019-18224-e627a1e0", "signature_type": "Line", "digest": { "threshold": 0.9, "line_hashes": [ "218593188083772802622278516276379885292", "75544740509718557889899472802812714157", "88559900838356515207564908305722819563", "162592913917631513379925092713417473222", "97451075533321452369957433137531049196", "287318457797403020141752624756010271903" ] }, "source": "https://github.com/libidn/libidn2/commit/e4d1558aa2c1c04a05066ee8600f37603890ba8c", "target": { "file": "lib/lookup.c" }, "deprecated": false, "signature_version": "v1" } ] }