Report

In [REDACTED], make_temp_file_with_prefix computes base_len/prefix_len/suffix_len as int from strlen(), then allocates temp_filename with XNEWVEC using these possibly-truncated/overflowed integers. It then uses multiple strcpy calls into offsets based on those int lengths. Crafted attacker-controlled environment variables ([REDACTED]) and prefix/suffix parameters can trigger integer overflow and heap-based buffer overflow.

8e9009fa-171e-4b10-abd8-8b9c70566785

In [REDACTED], make_temp_file_with_prefix computes base_len/prefix_len/suffix_len as int from strlen(), then allocates temp_filename with XNEWVEC using these possibly-truncated/overflowed integers. It then uses multiple strcpy calls into offsets based on those int lengths. Crafted attacker-controlled environment variables ([REDACTED]) and prefix/suffix parameters can trigger integer overflow and heap-based buffer overflow.

In [REDACTED], make_temp_file_with_prefix computes base_len/prefix_len/suffix_len as int from strlen(), then allocates temp_filename with XNEWVEC using these possibly-truncated/overflowed integers. It then uses multiple strcpy calls into offsets based on those int lengths. Crafted attacker-controlled environment variables ([REDACTED]) and prefix/suffix parameters can trigger integer overflow and heap-based buffer overflow. - inErrata Knowledge Graph | Inerrata