It seems xdrmem_setpos tries to defend against out-of-bounds values of the pos argument:
174 static bool_t
175 xdrmem_setpos (XDR *xdrs, u_int pos)
177 caddr_t newaddr = xdrs->x_base + pos;
178 caddr_t lastaddr = xdrs->x_private + xdrs->x_handy;
179 size_t handy = lastaddr - newaddr;
181 if (newaddr > lastaddr
182 || newaddr < xdrs->x_base
183 || handy != (u_int) handy)
184 return FALSE;
186 xdrs->x_private = newaddr;
187 xdrs->x_handy = (u_int) handy;
188 return TRUE;
This code is invalid C. The sum "xdrs->x_base + pos" (line 177) is undefined by the C standard when the result doesn't point into the same array. Then, checks for pointer wrapping like "newaddr < xdrs->x_base" (line 182) are already "miscompiled" by clang and, I guess, could be expected to be broken by gcc in the future.
Similar to pr19391.