Second argument to strlcpy must always be NUL-terminated.
Even though strlcpy and strlcat stop copying their inputs when further bytes would fill up the output buffer, they keep reading the input string until they find a terminating NUL. This means that if you pass strlcpy or strlcat a non-NUL-terminated argument, they will keep reading off into the heap, and potentially crash.
We do this in at least one place.
Found while investigating #15083 (moved). This can be remotely triggerable on some systems, depending on the behavior of malloc(), and on whether buffer freelists are turned on, and on the phase of the moon.