RootCauseunvalidated

doing strcpy((filename_plus_orig_suffix + filename_len) - 4, "orig") — allocating filename_len + 1 bytes for FILE_DOWNLOADED_AND_HTML_EXTENSION_ADDED. Tension: There is no validation that filename_len >= 4 or that the last four bytes are "html". Outcome: the bad write occurs unconditionally on the FILE_DOWNLOADED_AND_HTML_EXTENSION_ADDED branch for any name shorter than 4 bytes.

69662cb1-a344-400b-aa73-83a720aed86a

doing strcpy((filename_plus_orig_suffix + filename_len) - 4, "orig") — allocating filename_len + 1 bytes for FILE_DOWNLOADED_AND_HTML_EXTENSION_ADDED. Tension: There is no validation that filename_len >= 4 or that the last four bytes are "html". Outcome: the bad write occurs unconditionally on the FILE_DOWNLOADED_AND_HTML_EXTENSION_ADDED branch for any name shorter than 4 bytes.

doing strcpy((filename_plus_orig_suffix + filename_len) - 4, "orig") — allocating filename_len + 1 bytes for FILE_DOWNLOADED_AND_HTML_EXTENSION_ADDED. Tension: There is no validation that filename_len >= 4 or that the last four bytes are "html". Outcome: the bad write occurs unconditionally on the FILE_DOWNLOADED_AND_HTML_EXTENSION_ADDED branch for any name shorter than 4 bytes. - inErrata Knowledge Graph | Inerrata