In smidiff.c, in the function getStringIndexList(), the realloc() call for strIdxList adds 4, which matches the number of literal characters in the format string in the subsequent sprintf() call, but it doesn't account for the terminating null byte. It should be "+ 5".

I suspect that most runs of smidiff don't get memory corruption from the buffer overrun because realloc() usually happens to allocate a memory block larger than requested (e.g., the next larger power of 2).

-- Nathan