Hi, as jsg@ pointed out, rcs will segfault reliably when using malloc.conf with 'J' (the pointer in question is filled with d0's).
The pointer "rp_delta" is checked at the end of rcsparse_delta. If it's non-NULL, it will be included into a linked list; line 1181 of rcsparse.c. This RCS file triggers the segfault, as supplied by jsg@: ---------- head 1.1; access; symbols OPENBSD_5_6_BASE:1.1; locks; strict; comment @# @; @.1 date 95.12.18.15.18.15; author deraadt; state Exp; branches: n ---------- $ rlog foo,v rlog: foo,v:9: no newline at end of file Segmentation fault (core dumped) Tobias Index: usr.bin/cvs/rcsparse.c =================================================================== RCS file: /cvs/src/usr.bin/cvs/rcsparse.c,v retrieving revision 1.8 diff -u -p -u -p -r1.8 rcsparse.c --- usr.bin/cvs/rcsparse.c 16 Nov 2014 19:14:34 -0000 1.8 +++ usr.bin/cvs/rcsparse.c 22 Nov 2014 10:32:32 -0000 @@ -228,6 +228,7 @@ rcsparse_init(RCSFILE *rfp) pdp->rp_buf = xmalloc(RCS_BUFSIZE); pdp->rp_blen = RCS_BUFSIZE; pdp->rp_bufend = pdp->rp_buf + pdp->rp_blen - 1; + pdp->rp_delta = NULL; pdp->rp_token = -1; pdp->rp_lineno = 1; pdp->rp_msglineno = 1; Index: usr.bin/rcs/rcsparse.c =================================================================== RCS file: /cvs/src/usr.bin/rcs/rcsparse.c,v retrieving revision 1.11 diff -u -p -u -p -r1.11 rcsparse.c --- usr.bin/rcs/rcsparse.c 16 Nov 2014 19:14:34 -0000 1.11 +++ usr.bin/rcs/rcsparse.c 22 Nov 2014 10:32:32 -0000 @@ -227,6 +227,7 @@ rcsparse_init(RCSFILE *rfp) pdp->rp_buf = xmalloc(RCS_BUFSIZE); pdp->rp_blen = RCS_BUFSIZE; pdp->rp_bufend = pdp->rp_buf + pdp->rp_blen - 1; + pdp->rp_delta = NULL; pdp->rp_token = -1; pdp->rp_lineno = 1; pdp->rp_msglineno = 1;