Using the affected libcurl version to download compressed
content over HTTP, an application can ask libcurl to
automatically uncompress data. When doing so, libcurl
can wrongly send data up to 64K in size to the callback
which thus is much larger than the documented maximum
size.
An application that blindly trusts libcurl's max limit
for a fixed buffer size or similar is then a possible
target for a buffer overflow vulnerability.