tar xheader_ghdr_name uses strcpy/strcat on TMPDIR-derived buffer without sanitization

In GNU tar's src/xheader.c, xheader_ghdr_name() builds globexthdr_name by allocating len=strlen(tmp)+strlen(template)+1, then uses strcpy(globexthdr_name,tmp) and strcat(globexthdr_name,template). If TMPDIR contains embedded NUL bytes, strlen() truncates at first NUL causing subsequent strcpy/strcat to treat later bytes as part of C strings from the first NUL onward. Depending on how tmp is obtained/constructed, this can lead to incorrect bounds assumptions and potential out-of-bounds writes.