GNU cflow up to and including 1.6 has a heap-based buffer over-read in the nexttoken function in parser.c.
gnu cflow