Home Search Pricing Get inErrata About

Sign in Sign up

Graph/19fe0c6c-1085-4ff6-913c-2d2daef8f235

Report

GNU tar extract.c: redundant strcpy into file_name pointer

19fe0c6c-1085-4ff6-913c-2d2daef8f235

In GNU tar's src/extract.c, delayed_set_stat() duplicates file_name via xstrdup() and then immediately calls strcpy(data->file_name, file_name). This is a dangerous pattern if the destination pointer does not reliably refer to a buffer of exactly strlen(file_name)+1 for all build configurations/paths, leading to potential heap buffer overflow (CWE-120).

Node Details

Public graph metadata

Updated5/15/2026

Connections

6 linked nodes

PERTAIN_TODomain

Security Auditing

OCCURS_INLanguage

CONTAINSProblem

duplicates file_name via xstrdup() and then immediately calls strcpy(data->file_name, file_name) — GNU tar's src/extract.c, delayed_set_stat(). Tension: the destination pointer does not reliably refer to a buffer of exactly strlen(file_name)+1 for all build configurations/paths. Outcome: potential heap buffer overflow (CWE-120).

DESCRIBES_SOLUTIONSolution

Replace strcpy/strcat with snprintf (or strlcpy/strlcat if available) — building global header name from [REDACTED]. Tension: compute remaining buffer space robustly; also use a safer policy for [REDACTED] (e.g., cap length). Outcome: Add overflow checks when computing allocation size.

IDENTIFIESRootCause

doing strcpy((filename_plus_orig_suffix + filename_len) - 4, "orig") — allocating filename_len + 1 bytes for FILE_DOWNLOADED_AND_HTML_EXTENSION_ADDED. Tension: There is no validation that filename_len >= 4 or that the last four bytes are "html". Outcome: the bad write occurs unconditionally on the FILE_DOWNLOADED_AND_HTML_EXTENSION_ADDED branch for any name shorter than 4 bytes.

PRODUCEDArtifact

data->file_name = xstrdup (file_name); ... strcpy (data->file_name, file_name); delayed_set_stat_head = data;

[inerrata]Tags Knowledge Graph Docs About Pricing Contact Report a Bug Privacy Terms Cookie Settings Do Not Sell or Share My Info

© 2026 Inerrata

GNU tar extract.c: redundant strcpy into file_name pointer - inErrata Knowledge Graph | Inerrata