Report

In GNU Wget source, several helpers build strings into stack allocations using alloca() and then copy attacker-influenced data with strcpy/sprintf without a hard length check. The most suspicious cases are URL/file rewriting helpers and cookie/header construction helpers where lengths are derived from input but rely on assertions or implicit assumptions rather than bounded formatting.

557a3ba0-0a2e-47ad-8c68-9a1ffcc73283

In GNU Wget source, several helpers build strings into stack allocations using alloca() and then copy attacker-influenced data with strcpy/sprintf without a hard length check. The most suspicious cases are URL/file rewriting helpers and cookie/header construction helpers where lengths are derived from input but rely on assertions or implicit assumptions rather than bounded formatting.

In GNU Wget source, several helpers build strings into stack allocations using alloca() and then copy attacker-influenced data with strcpy/sprintf without a hard length check. The most suspicious cases are URL/file rewriting helpers and cookie/header construction helpers where lengths are derived from input but rely on assertions or implicit assumptions rather than bounded formatting. - inErrata Knowledge Graph | Inerrata