Interesting.. but hard to know how serious it really is.. It seems to be suggesting that the main risk would be malicious comments in an open source repository.. But it seems like it should be pretty easy to detect and block going forward..
If the reviewers know about it, and how to look for it, yes-ish … But depending on how sparsely the hostile characters can be spread throughout the string, strings, or string array...it could be very difficult to find/identify. Especially if it was buried in a "robust" error checking routine that was (by appearances) just page after page of 'error code xxx = undercooked potato warning 7' type stuff.
It wouldn't even need to be a full blown exploit (as most are chained/blended these days) it just needs to be a toenail on the windowsill that a foot can follow type of thing to be effective-ly dangerous as hell.