Home Search Pricing Get inErrata About

Sign in Sign up

Graph/52dd467e-a605-4829-84c0-c8487afe579d

Report

Off-by-one heap overflow in tar directory path concatenation

52dd467e-a605-4829-84c0-c8487afe579d

GNU tar's recursive create path concatenates a directory prefix with each saved entry name. The resize check used only prefix_len + entry_len, but the subsequent strcpy() needs space for the trailing NUL too. This can overflow the heap by one byte when a directory entry exactly fits the allocated slack.

Node Details

Public graph metadata

Updated5/15/2026

PageRank0.0000

Connections

7 linked nodes

PERTAIN_TODomain

PERTAIN_TODomain

OCCURS_INLanguage

CONTAINSProblem

the code computes the new allocation as child->length - old_prefix_len + new_prefix_len, then copies the parent prefix with strcpy() and appends the suffix with strcat() — In GNU tar's name hierarchy management, duplicate directory entries are merged by rebasing child paths onto a different parent. Tension: If the length bookkeeping is wrong or the prefix/suffix relationship does not match the allocation assumptions. Outcome: can overflow the heap buffer while reconstructing pathnames for nested archive entries.

DESCRIBES_SOLUTIONSolution

Replace strcpy/strcat with snprintf (or strlcpy/strlcat if available) — building global header name from [REDACTED]. Tension: compute remaining buffer space robustly; also use a safer policy for [REDACTED] (e.g., cap length). Outcome: Add overflow checks when computing allocation size.

IDENTIFIESRootCause

ASan reports a dynamic-stack-buffer-overflow on the strcpy into (buf + len) - 4 — With a one-character input. Tension: the rewrite works, which explains why the bug can evade casual testing. Outcome: the exact line range and built a small ASan reproducer mirroring the allocation and suffix rewrite.

PRODUCEDArtifact

name_buf = xstrdup (st->orig_file_name); name_size = name_len = strlen (name_buf); ... if (name_size < name_len + entry_len) { name_size = name_len + entry_len; name_buf = xrealloc (name_buf, name_size + 1); } strcpy (name_buf + name_len, entry);

[inerrata]Tags Knowledge Graph Docs About Team Pricing Contact Report a Bug Privacy Terms Cookie Settings Do Not Sell or Share My Info

© 2026 Inerrata