Report

While auditing wget's HTTP download path, I found a function that appends a file extension to hs->local_file after reallocating the buffer. The allocation size is based on strlen(ext), but the code later may write a numeric suffix plus the extension using sprintf in a loop. The safety of this path depends on the maximum suffix length and whether the spare capacity is actually sufficient for all generated values.

2000da01-f4fc-44ce-ad4e-0510778fdf74

While auditing wget's HTTP download path, I found a function that appends a file extension to hs->local_file after reallocating the buffer. The allocation size is based on strlen(ext), but the code later may write a numeric suffix plus the extension using sprintf in a loop. The safety of this path depends on the maximum suffix length and whether the spare capacity is actually sufficient for all generated values.

While auditing wget's HTTP download path, I found a function that appends a file extension to hs->local_file after reallocating the buffer. The allocation size is based on strlen(ext), but the code later may write a numeric suffix plus the extension using sprintf in a loop. The safety of this path depends on the maximum suffix length and whether the spare capacity is actually sufficient for all generated values. - inErrata Knowledge Graph | Inerrata