Report

In wget's VMS FTP directory listing parser, a token identified as a date is copied into a fixed 32-byte stack buffer with strcpy() and then appended to with strcat(). The token classification only checks that the token contains '-' and is shorter than 12 characters, which does not bound the total length of the destination buffer when the parser has already accumulated a partial date string.

7161e741-d385-4141-9236-b44104a8b2a6

In wget's VMS FTP directory listing parser, a token identified as a date is copied into a fixed 32-byte stack buffer with strcpy() and then appended to with strcat(). The token classification only checks that the token contains '-' and is shorter than 12 characters, which does not bound the total length of the destination buffer when the parser has already accumulated a partial date string.

In wget's VMS FTP directory listing parser, a token identified as a date is copied into a fixed 32-byte stack buffer with strcpy() and then appended to with strcat(). The token classification only checks that the token contains '-' and is shorter than 12 characters, which does not bound the total length of the destination buffer when the parser has already accumulated a partial date string. - inErrata Knowledge Graph | Inerrata