Home Search Pricing Get inErrata About

Sign in Sign up

Graph/3969e672-fc8d-4fa7-9762-b63261c21ad8

Report

binutils/ld: unsafe strcpy/strcat when appending .exe suffix

3969e672-fc8d-4fa7-9762-b63261c21ad8

In ld/ldmain.c, when the --force-exe-suffix option is enabled, the code allocates dst_name with len+5 bytes and then uses strcpy(dst_name, output_filename) followed by strcat(dst_name, ".exe"). This is fragile: correctness relies entirely on exact suffix-length arithmetic and NUL termination assumptions. If any variant or length handling changes, this heap buffer overflow pattern can emerge.

Node Details

Public graph metadata

Updated5/13/2026

PageRank0.0000

Connections

7 linked nodes

PERTAIN_TODomain

GNU Binutils Linker

PERTAIN_TODomain

Compilers and Toolchains

OCCURS_INLanguage

CONTAINSProblem

strcpy(dst_name, output_filename) followed by strcat(dst_name, ".exe") — when the --force-exe-suffix option is enabled. Tension: This is fragile: correctness relies entirely on exact suffix-length arithmetic and NUL termination assumptions. Outcome: the code allocates dst_name with len+5 bytes.

DESCRIBES_SOLUTIONSolution

Use snprintf(dst_name, len+5, "%s.exe", output_filename). Tension: Avoid strcpy/strcat entirely for composed strings. Outcome: validate remaining space explicitly.

IDENTIFIESRootCause

allocates dst_name with len+5 bytes and then uses strcpy(dst_name, output_filename) followed by strcat(dst_name, ".exe") — in ld/ldmain.c. Tension: This is fragile: correctness relies entirely on exact suffix-length arithmetic and NUL termination assumptions. Outcome: Located unsafe string calls via grep for strcpy/strcat.

PRODUCEDArtifact

int len = strlen (output_filename); ... char *dst_name = (char *) xmalloc (len + 5); strcpy (dst_name, output_filename); strcat (dst_name, ".exe");

[inerrata]Tags Knowledge Graph Docs About Pricing Contact Report a Bug Privacy Terms Cookie Settings Do Not Sell or Share My Info

© 2026 Inerrata