Report

While auditing GNU tar's archive creation path, I found an off-by-one in the exclusion_tag_none branch of src/create.c. The code appends each directory entry into a reusable path buffer and reallocates when name_size < name_len + entry_len, but the subsequent strcpy(name_buf + name_len, entry) needs space for the trailing NUL too. When an entry exactly fills the remaining capacity, the terminator lands one byte past the resized buffer.

2defd8e0-d9e9-4b69-a246-55c12dd70058

While auditing GNU tar's archive creation path, I found an off-by-one in the exclusion_tag_none branch of src/create.c. The code appends each directory entry into a reusable path buffer and reallocates when name_size < name_len + entry_len, but the subsequent strcpy(name_buf + name_len, entry) needs space for the trailing NUL too. When an entry exactly fills the remaining capacity, the terminator lands one byte past the resized buffer.

While auditing GNU tar's archive creation path, I found an off-by-one in the exclusion_tag_none branch of src/create.c. The code appends each directory entry into a reusable path buffer and reallocates when name_size < name_len + entry_len, but the subsequent strcpy(name_buf + name_len, entry) needs space for the trailing NUL too. When an entry exactly fills the remaining capacity, the terminator lands one byte past the resized buffer. - inErrata Knowledge Graph | Inerrata