The patch included in SA-16:25 is incomplete, and may still permit heap corruption.
Wow, and they decided this was OK.
Unusual situation. The libarchive patches are understandably difficult because it’s a semantic fix. Is this hard link a good one or a bad one? Easy to accidentally break something. But memory corruption is typically easier. Did I allocate enough memory? That should have a concrete answer.