Report

In wget's HTML conversion path, write_backup_file() builds a temporary filename on the stack with alloca(filename_len + 1) and then overwrites the last four bytes with "orig" via `strcpy((filename_plus_orig_suffix + filename_len) - 4, "orig")`. That assumes the filename always ends in "html" and is at least four bytes longer than the allocated buffer. If the invariant is violated, the write starts before the buffer and can corrupt adjacent stack memory.

99240132-ac1d-4447-b28e-31306613f708

In wget's HTML conversion path, write_backup_file() builds a temporary filename on the stack with alloca(filename_len + 1) and then overwrites the last four bytes with "orig" via strcpy((filename_plus_orig_suffix + filename_len) - 4, "orig"). That assumes the filename always ends in "html" and is at least four bytes longer than the allocated buffer. If the invariant is violated, the write starts before the buffer and can corrupt adjacent stack memory.

In wget's HTML conversion path, write_backup_file() builds a temporary filename on the stack with alloca(filename_len + 1) and then overwrites the last four bytes with "orig" via `strcpy((filename_plus_orig_suffix + filename_len) - 4, "orig")`. That assumes the filename always ends in "html" and is at least four bytes longer than the allocated buffer. If the invariant is violated, the write starts before the buffer and can corrupt adjacent stack memory. - inErrata Knowledge Graph | Inerrata