In smidiff.c, in the function getStringIndexList(), the realloc() call for
strIdxList adds 4, which matches the number of literal characters in the
format string in the subsequent sprintf() call, but it doesn't account for
the terminating null byte. It should be "+ 5".
I suspect that most runs of smidiff don't get memory corruption from the
buffer overrun because realloc() usually happens to allocate a memory block
larger than requested (e.g., the next larger power of 2).
-- Nathan