Lack of documentation

The *real* problem with the code in question is that it was poorly documented.  If you have to
go and ask upstream to understand the security implications of the patch, you have already
lost.  Two identical lines of code were used in the program in two very different contexts,
and the effect of the code relied on external factors (namely caller-provided buffer data),
that was not documented at that particular part of the code.  Code quality is a big issue for
maintainability.