2018-11-19 16:02:42 UTC
This is not a vulnerability. The fuzzer did not check that the
precondition is satisfied. If XMLDocument::Parse is called in the
one-argument-form (or with a (size_t)-1 argument), then it uses strlen
on the input string, which must be null-terminated. This is clearly
spelled out in the API documentation.
This is just a courtesy notice in case you want to update your records
before MITRE processes the rejection request (or rejects it altogether).