This code is potentially dangerous:
vname = malloc(strlen(name) * 4 + 1);
/* vname == NULL check */
strunvis(vname, name);
because multiplication by 4 can overflow. It's easy to add a range check
but strunvis(3) manual states that the dst buffer should have the same
length as the src (no expansion).
I'd like to remove the multiplication, if there are no objections.
PS I also spotted a potential wraparound in len = bufsiz - 5; but
I assume that no reasonable person will pass buffer that short.
--
Alex
