Hi I discovered that there's a off by one bug in the bounds checking in statcheck(), convM2D(), convD2M() and convM2S().
For example in convM2D() it sets ebuf as: ebuf = buf + nbuf; and then checks if reads will go past ebuf. But ebuf will point to the first byte after the buffer, so past ebuf will include the byte after the buffer. So it can potentially try to read of write to one byte past the buffer in all these functions. -- Erik Dalén [EMAIL PROTECTED]
