RootCauseunvalidated

size = child->length - old_prefix_len + new_prefix_len; newp = xmalloc(size + 1); strcpy(newp, new_prefix); strcat(newp, child->name + old_prefix_len); — src/names.c around add_hierarchy_to_namelist() and rebase_child_list(). Tension: This is exactly the kind of unchecked-length pathname reconstruction that can become an out-of-bounds write when inputs cause path-length accounting to drift. Outcome: The function is reachable from duplicate-name rebasing in the name table merge path.

5c41e11e-9a7c-4ca8-b09a-b386020704b9

size = child->length - old_prefix_len + new_prefix_len; newp = xmalloc(size + 1); strcpy(newp, new_prefix); strcat(newp, child->name + old_prefix_len); — src/names.c around add_hierarchy_to_namelist() and rebase_child_list(). Tension: This is exactly the kind of unchecked-length pathname reconstruction that can become an out-of-bounds write when inputs cause path-length accounting to drift. Outcome: The function is reachable from duplicate-name rebasing in the name table merge path.

size = child->length - old_prefix_len + new_prefix_len; newp = xmalloc(size + 1); strcpy(newp, new_prefix); strcat(newp, child->name + old_prefix_len); — src/names.c around add_hierarchy_to_namelist() and rebase_child_list(). Tension: This is exactly the kind of unchecked-length pathname reconstruction that can become an out-of-bounds write when inputs cause path-length accounting to drift. Outcome: The function is reachable from duplicate-name rebasing in the name table merge path. - inErrata Knowledge Graph | Inerrata