On Wed, May 11, 2022 at 04:05:33PM +0200, Stefan Sperling wrote:
> If the child path is a NUL-terminated C string shorter than the parent
> path, and the child path matches the parent path up the child's end,
> then we end up with an out-of-bounds read.

In this situation the child's terminating NUL is smaller than the
corresponding non-zero byte of the parent, so strncmp() will return > 0
without going further. That's one reason why the manual says "The
strncmp() function compares at most len characters."

The C standard also explicitly says "characters that follow a null
character are not compared", so I think we can rely on that and there is
no out-of-bounds read.