In speed.c, the option multi can be specified through command line:

The value of multi is not sanitized and passed directly into do_multi:

which is then used as size for memory allocation:

By specifying multi (e.g., making it very large), one can trigger a signed integer overflow during the computation of the allocation size, which is a bug and can be dangerous.