/usr/bin/which overflow

["enthh () FLASH NET" <enthh () FLASH NET>]

Hello, I have recently found a buffer overflow in Slackware 4.0, and 7.0.0's /usr/bin/which (I assume others).  It 
overflows at about 985 bytes, and although its not setuid(), alot of programs use which to find system files, 
indirectly causing other programs to overflow. 

I don't know much about the program (and there's no use for an exploit), although I have a few questions.  Is it a heap 
or stack-based overflow? How do you know?  Is it a format string bug as well?  Below is a copy of which.c

/* which - C version of the unix/csh 'which' command
 * vix 23jul86 [written]
 * vix 24jul86 [don't use dynamic memory]
 */

#include <stdio.h>

static char *myname;

main(argc, argv)
int argc;
char *argv[];
{
 char *getenv(), *path = getenv("PATH");

 myname = argv[0];
 for (argc--, argv++;  argc;  argc--, argv++)
  if (0 != which(*argv, path))
   exit(1);
 exit(0);
}

static which(name, path)
char *name, *path;
{
 char test[1000], *pc, *malloc(), save;
 int len, namelen = strlen(name), found;

 pc = path;
 found = 0;
 while (*pc != '\0' && found == 0)
 {
  len = 0;
  while (*pc != ':' && *pc != '\0')
  {
   len++;
   pc++;
  }

  save = *pc;
  *pc = '\0';
  sprintf(test, "%s/%s", pc-len, name);
  *pc = save;
  if (*pc)
   pc++;

  found = (0 == access(test, 01)); /* executable */
  if (found)
   puts(test);
 }
 if (found == 0)
 {
  printf("%s: no %s in (%s)\n", myname, name, path);
  return 1;
 }
 return 0;
}


Any information would be greatly appreciated.