Even though strlcpy and strlcat stop copying their inputs when further bytes would fill up the output buffer, they keep reading the input string until they find a terminating NUL. This means that if you pass strlcpy or strlcat a non-NUL-terminated argument, they will keep reading off into the heap, and potentially crash. We do this in at least one place. Found while investigating legacy/trac#15083. This can be remotely triggerable on some systems, depending on the behavior of malloc(), and on whether buffer freelists are turned on, and on the phase of the moon.