There's something fishy in OSX's checked strlcat.
When it checks to see whether the destination buffer overlaps with the input buffer in the second case, it isn't checking whether the input overlaps with the actual buffer that will be written; it's checking whether the input overlaps with the destination buffer, plus the extra space after the end of the destination buffer that would be written if there were enough room for the whole input.
I believe the second overlap check should be something more like:
__chk_overlap(dest, len, src, len - initial_dstlen - 1);
- Check whether any of the BSDs have this problem.
- Check whether older OSXs have this problem.