An interesting genre of bug occurs in C, when the return value and the success status of the function uses the same variable.
Consider the read function.
ssize_t read(int fd, void *buf, size_t count);
size_t is normally unsigned int, and ssize_t int.
How big can count be? The return value of read returns the number of bytes it read. It should be equal to count when it succeeds (except in the case of a non blocking read). But what if count is greater than INT_MAX?
I’ve seen it to be the case that various functions in libc return (ssize_t)count, even when count is greater than INT_MAX. This is the case with the 32bit lseek calls in Linux.
I am sure there are vulnerabilities present due to this behaviour. Its only a question of where are they.