This issue was introduced as part of the fix for Lucky 13 padding attack (CVE-2013-0169). The padding check was rewritten to be in constant time by making sure that always the same bytes are read and compared against either the MAC or padding bytes. But it no longer checked that there was enough data to have both the MAC and padding bytes.
而 CVE-2016-2108 是組合技，從兩個「看似無害」的安全性問題開始：
This vulnerability is a combination of two bugs, neither of which individually has security impact.
然後 Google 的人找出來可以打穿：
The fact that these two issues combined present a security vulnerability was reported by David Benjamin (Google) on March 31st 2016.
另外隔壁棚的 ImageMagick 安全性問題是個慘劇，是個 RCE 等級的，而且 exploit 已經在外面跑了：
One of the vulnerabilities can lead to remote code execution (RCE) if you process user submitted images. The exploit for this vulnerability is being used in the wild.