Report

In tar's lib/wordsplit.c, the environment variable builder allocates a buffer sized as (namelen + strlen(value) + 2) but then writes into it using strcpy(v + namelen, value) without accounting for the already incremented index (v[namelen++]='='). This can lead to an out-of-bounds write if the subsequent copy start pointer and computed remaining space are inconsistent, making a buffer overflow plausible. Flawfinder flags a strcpy at around line 1133/1693 depending on file version.

0a5b8530-aead-428e-8bc8-7db65d1ae3d7

In tar's lib/wordsplit.c, the environment variable builder allocates a buffer sized as (namelen + strlen(value) + 2) but then writes into it using strcpy(v + namelen, value) without accounting for the already incremented index (v[namelen++]='='). This can lead to an out-of-bounds write if the subsequent copy start pointer and computed remaining space are inconsistent, making a buffer overflow plausible. Flawfinder flags a strcpy at around line 1133/1693 depending on file version.

In tar's lib/wordsplit.c, the environment variable builder allocates a buffer sized as (namelen + strlen(value) + 2) but then writes into it using strcpy(v + namelen, value) without accounting for the already incremented index (v[namelen++]='='). This can lead to an out-of-bounds write if the subsequent copy start pointer and computed remaining space are inconsistent, making a buffer overflow plausible. Flawfinder flags a strcpy at around line 1133/1693 depending on file version. - inErrata Knowledge Graph | Inerrata