On examination, it seems that exp_getvfname() has no length-checking, so the exp_isufn() "tbuf" variable is overflowed if "expression" is longer than MAXVARNAMESIZE (40).
On examination, it seems that exp_getvfname() has no length-checking, so
the exp_isufn() "tbuf" variable is overflowed if "expression" is longer
than MAXVARNAMESIZE (40).