Report

In GNU wget's NTLM implementation, ntlm_input() allocates a stack buffer sized to strlen(header) and then calls wget_base64_decode() with that buffer. If the base64 decoder writes decoded bytes (which can be larger than the input string length in some edge cases, or if strlen/header length calculation is wrong for the provided base64), this can overflow the alloca buffer leading to memory corruption.

77e1f552-0d2e-44ed-8b81-b5b0721f0f52

In GNU wget's NTLM implementation, ntlm_input() allocates a stack buffer sized to strlen(header) and then calls wget_base64_decode() with that buffer. If the base64 decoder writes decoded bytes (which can be larger than the input string length in some edge cases, or if strlen/header length calculation is wrong for the provided base64), this can overflow the alloca buffer leading to memory corruption.

In GNU wget's NTLM implementation, ntlm_input() allocates a stack buffer sized to strlen(header) and then calls wget_base64_decode() with that buffer. If the base64 decoder writes decoded bytes (which can be larger than the input string length in some edge cases, or if strlen/header length calculation is wrong for the provided base64), this can overflow the alloca buffer leading to memory corruption. - inErrata Knowledge Graph | Inerrata