Well, it probably started showing up because of some change in the NetBSD
libraries, but it was an MH bug, pure and simple (and one that I think
bug connoiseurs on the list will enjoy :-).

To recap, I was seeing the "inc" program occasionally report that a header
line had a newline in the middle of the label (i.e. "X-Mailer: something"
might generate a complaint about "X-Ma" ending with a newline).  I wondered
if it was some kind of stdio problem, especially because MH plays truly
unnatural games with the innards of the stdio library.

I even tracked it down to happening only on headers that happened to straddle
8KB boundaries, which made a stdio interaction all the more likely.  However,
when I finally found the time to single-step through the code of MH, one
line caught my eye immediately and sure enough...

Here's the loop which starts at the beginning of a line and scans for
a header name (m_getfld.c, starting at line 247):

		bp = sp = (unsigned char *) iob->_ptr - 1;
		j = (cnt = iob->_cnt+1) < i ? cnt : i;
		while ((c = *bp++) != ':' && c != '\n' && --j >= 0)
		    *cp++ = c;

Seasoned debuggers are probably already saying "DOH!"  And sure
enough, not only does it LOOK fishy to test the number of remaining
characters AFTER testing the contents of a location, it IS fishy.
This code, sure enough, marches one character off the end of the
buffer, tests that character, and THEN realizes that it went too far.
The most obvious fix is to change the while condition to

		while ((--j >= 0) && (c = *bp++) != ':' && c != '\n')