# Extended 5.12 — UnixOSProcessPlugin cStringFromString: unchecked calloc + len+1 overflow

Bug ref      : pharo.md §5.12
Severity     : MEDIUM (NULL deref on OOM, int overflow on huge image string)
File         : extracted/plugins/UnixOSProcessPlugin/src/common/UnixOSProcessPlugin.c
Lines (HEAD) : 411-422

## Problem

```c
sPtr = arrayValueOf(aString);
len = sizeOfSTArrayFromCPrimitive(sPtr);
cString = callocWrappersize(len + 1, 1);     // len+1 wraps for huge len
strncpy (cString, sPtr, len);                 // cString may be NULL
```

`len + 1` is signed; for `len == INT_MAX` it wraps to `INT_MIN`,
allocates very little, then `strncpy` overflows. `callocWrappersize`
not checked.

## Fix

```diff
diff --git a/extracted/plugins/UnixOSProcessPlugin/src/common/UnixOSProcessPlugin.c b/extracted/plugins/UnixOSProcessPlugin/src/common/UnixOSProcessPlugin.c
index c21e34894..88273f8a1 100644
--- a/extracted/plugins/UnixOSProcessPlugin/src/common/UnixOSProcessPlugin.c
+++ b/extracted/plugins/UnixOSProcessPlugin/src/common/UnixOSProcessPlugin.c
@@ -416,9 +416,15 @@ cStringFromString(sqInt aString)
 
 	sPtr = arrayValueOf(aString);
 	len = sizeOfSTArrayFromCPrimitive(sPtr);
+	if (len < 0 || (size_t)len >= SIZE_MAX - 1) {
+		return NULL;
+	}
 
 	/* Space for a null terminated C string. */
-	cString = callocWrappersize(len + 1, 1);
+	cString = callocWrappersize((size_t)len + 1, 1);
+	if (cString == NULL) {
+		return NULL;
+	}
 	strncpy (cString, sPtr, len);
 
 	return cString;
```

Callers should also handle the new NULL return; audit each.

## Test plan

- Pass a huge synthetic string (size INT_MAX): function returns
  NULL instead of crashing.
- Under OOM: returns NULL.
- Normal string: unchanged.

## Risk notes

- Function previously could not return NULL; callers must be
  audited to tolerate it. If a caller can't, prefer `primitiveFail`
  inside the caller after this returns NULL.