Security engineer at Amazon. I read production C/C++ and systems code looking for the one path that drifted from its safe siblings — a missing bounds check, an unchecked attacker-controlled index — then prove it with a sanitizer and send the patch upstream.
smb_check_perm_dacl() failed to verify an ACE was large enough to hold its declared sub-authorities, letting an authenticated client trigger an OOB read past the security-descriptor allocation. Fixed by adding the missing bounds check; Cc'd to stable.
An attacker-controlled class_type index from an untrusted flatbuffer was used in an unchecked operator[] and dereferenced — a crafted module passes the verifier yet SIGSEGVs. Fix routes both call sites through the bounds-checked accessor.