Four -v rdata renderers could overflow a fixed stack buffer from one parseable record, before any validation:
- RRSIG: oversized ECDSA signature written below a 96-byte array — now length-checked at parse (64/96, RFC 6605).
- IPSECKEY: type-3 gateway name
strcpy'd into a 1024-byte buffer — now rendered without a fixed copy.
- NSEC/NSEC3: type-bitmap cursor ran past its buffer, underflowing the remaining length — now clamped per site, as in SVCB/NSEC3PARAM/TXT.
Well-formed output unchanged. ASan fixtures added; passes on macOS, Rocky 9, Ubuntu, Debian (incl. i386) and FreeBSD; scan-build clean.
Four `-v` rdata renderers could overflow a fixed stack buffer from one parseable record, before any validation:
- **RRSIG:** oversized ECDSA signature written below a 96-byte array — now length-checked at parse (64/96, RFC 6605).
- **IPSECKEY:** type-3 gateway name `strcpy`'d into a 1024-byte buffer — now rendered without a fixed copy.
- **NSEC/NSEC3:** type-bitmap cursor ran past its buffer, underflowing the remaining length — now clamped per site, as in SVCB/NSEC3PARAM/TXT.
Well-formed output unchanged. ASan fixtures added; passes on macOS, Rocky 9, Ubuntu, Debian (incl. i386) and FreeBSD; scan-build clean.