Your Own Loops (cont.)

If the input length is 250 characters or more, a single byte after the end of the buffer is overwritten with NULL.
With an upward growing stack, and a little endian machine (such as Intel), this means overwriting the LSB of the pointer right after the buffer with zero.
With the buffer size occupying most (but not all) of the previous 256 block, there is a very high probability that the new pointer points back into the buffer.
There is a good chance that this bug is exploitable!

If the input length is 250 characters or more, a single byte after the end of the buffer is overwritten with NULL.