Screen was being queried from within a client after it had been free'd.

Allows this function to always return the proper path in situations where the $PLAN9 environment variable is not set, i.e. a rc login shell.

That is, not only when -r was given. This allows using this veriable in mkfiles across the code base.

Certain XkbOptions in X11 would change keysyms for modifier keys between the key press and key release. For example, under the XkbOptions "grp:shifts_toggle", though shift keys remain Shift_L/R when pressed, they become ISO_Group_Next/Prev when released. This behavior makes devdraw unable to detect the release event correctly and as a result mouse button 1 click always interpreted as button 3 event after a shift key is used.

The function `startrpc()` stack allocates a local buffer of size 100: ```c static Muxrpc* startrpc(int type) { uchar buf[100]; ^^^^^^^^ Wsysmsg w; w.type = type; convW2M(&w, buf, sizeof buf); return muxrpcstart(display->mux, buf); } ``` The function `convW2M()` is called passing `buf`. That function accesses `buf` out-of-bounds: ```c uint convW2M(Wsysmsg *m, uchar *p, uint n) { ... case Tcursor2: PUT(p+6, m->cursor.offset.x); PUT(p+10, m->cursor.offset.y); memmove(p+14, m->cursor.clr, sizeof m->cursor.clr); memmove(p+46, m->cursor.set, sizeof m->cursor.set); PUT(p+78, m->cursor2.offset.x); PUT(p+82, m->cursor2.offset.y); memmove(p+86, m->cursor2.clr, sizeof m->cursor2.clr); memmove(p+214, m->cursor2.set, sizeof m->cursor2.set); p[342] = m->arrowcursor; ^^^^^^ ``` To fix the issue the size of local variable `buf` is increased from 100 to 512 to avoid out-of-bounds array access.

When the 9P connection is closed, reads on the connection will keep returning 0. So, fossil ends up looping forever, trying to read a 9P message, consuming 100% CPU. The fix interprets 0 bytes read as EOF. Reproduce by killing the 9pserve process serving the fossil service, or by listening on tcp and using 9p(1).