I've asked upstream if this is a security issue, and if so, what its CVE is, in <URL: https://github.com/merces/libpe/issues/34 >.
As far as I can tell, it is writing past the assigned buffer, which might be a security issue. -- Happy hacking Petter Reinholdtsen
