Agreed, so in this particular case I would have allocated those buffers statically but scoped to the function (so outside the heap). Feel free to call me paranoid ;) I'd have added a sentinel as well.
Locally scoped statics are still the moral equivalent of globals, and a waiting landmine for anyone who might ever run this code in a multithreaded environment.
Yes, that's definitely a problem. But switching from single threading to multi-threading should trigger a complete review of all the underlying code. That's not a trivial change and likely to break very many things if the assumption was that the code would be single threaded. Every data structure would need to be inspected.
Static buffers have even less protections than the stack or the heap. On many Linux and BSD systems, static variables don't even have ASLR applied to them if they're in an executable rather than a library.
Yes, because as a rule it is much harder to get execution of arbitrary code out of an overflow in a buffer allocated like that. The protections are there where they are needed most.
