The zlib extension module contains a method for flushing decompression streams that takes an input parameter of how much data to flush. This parameter is a signed integer that is not verified for sanity and is thus potentially negative. When passed a negative value memory is misallocated and then the signed integer is converted to an unsigned integer resulting in buffer overflow.

http://www.securiteam.com/unixfocus/5QP0E0UO0M.html