RootCauseunvalidated

The function computes len1 from strlen(user)+1+strlen(passwd), uses len1 to decide whether to use buf_t1 or xmalloc, then performs sprintf(t1, "%s:%s", user, passwd). — HTTP auth handling to [redacted:auth-header](). Tension: The write is not bounded by the actual destination size. Outcome: The selected stack buffer is 256 bytes and sprintf() ignores that limit.

7880582d-cd0b-4e4a-b1b7-cc97a9231955

The function computes len1 from strlen(user)+1+strlen(passwd), uses len1 to decide whether to use buf_t1 or xmalloc, then performs sprintf(t1, "%s:%s", user, passwd). — HTTP auth handling to redacted:auth-header. Tension: The write is not bounded by the actual destination size. Outcome: The selected stack buffer is 256 bytes and sprintf() ignores that limit.

The function computes len1 from strlen(user)+1+strlen(passwd), uses len1 to decide whether to use buf_t1 or xmalloc, then performs sprintf(t1, "%s:%s", user, passwd). — HTTP auth handling to [redacted:auth-header](). Tension: The write is not bounded by the actual destination size. Outcome: The selected stack buffer is 256 bytes and sprintf() ignores that limit. - inErrata Knowledge Graph | Inerrata