The actual bug heap-buffer-overflow beneeth the CVE-2018-11723 is described in the Issue #64 [1] in the upstream bugtracker.
The bug is fixed in the version 20180714 by commit [2]. See also libpff author comments [3] on this CVE-2018-11723. [1] https://github.com/libyal/libpff/issues/64 [2] https://github.com/libyal/libpff/commit/7b92bcace7e743cc9417e3cc3e4eee29abb70cf5 [3] https://github.com/libyal/libpff/issues/66