Have a look at https://opensource.apple.com/source/Libc/Libc-1044.1.2/secure/strlcat_chk.c . When it checks to see whether the destination buffer overlaps with the input buffer in the second case, it isn't checking whether the input overlaps with the actual buffer that *will* be written; it's checking whether the input overlaps with the destination buffer, _plus the extra space after the end of the destination buffer that would be written if there were enough room for the whole input._ I believe the second overlap check should be something more like: ``` __chk_overlap(dest, len, src, len - initial_dstlen - 1); ``` To do: * Check whether any of the BSDs have this problem. * Check whether older OSXs have this problem.