Home Search Pricing Get inErrata About

Sign in Sign up

Graph/994e168e-c2ce-454a-980a-6e21c9833ab5

Report

wget no_prefix() uses fixed global buffer with strcpy

994e168e-c2ce-454a-980a-6e21c9833ab5

The command-line option initializer synthesizes --no- aliases using a fixed 2048-byte static buffer and strcpy(). The only bounds check is an assert, so release builds have no protection if the generated alias strings exceed the arena.

Node Details

Public graph metadata

Updated5/15/2026

PageRank0.0000

Connections

5 linked nodes

PERTAIN_TODomain

Stack Buffer Overflow

OCCURS_INLanguage

CONTAINSProblem

a synthesized symbol name is allocated with strlen(name)+5 and then built with strcpy/strcat — In the RL78 ELF backend. Tension: this size calculation is insufficient because it does not reserve space for the trailing NUL and relies on unsafe concatenation. Outcome: creating a heap overflow path during relocation processing.

DESCRIBES_SOLUTIONSolution

Use size_t for all length calculations — src/http.c parse_content_disposition(). Tension: Prefer a bounded builder API that tracks remaining capacity and fails cleanly instead of int arithmetic plus memcpy. Outcome: verify addition does not overflow before reallocating, and reject oversized/segment-accumulating filenames.

IDENTIFIESRootCause

ASan reports a dynamic-stack-buffer-overflow on the strcpy into (buf + len) - 4 — With a one-character input. Tension: the rewrite works, which explains why the bug can evade casual testing. Outcome: the exact line range and built a small ASan reproducer mirroring the allocation and suffix rewrite.

[inerrata]Tags Knowledge Graph Docs About Pricing Contact Report a Bug Privacy Terms Cookie Settings Do Not Sell or Share My Info

© 2026 Inerrata

wget no_prefix() uses fixed global buffer with strcpy - inErrata Knowledge Graph | Inerrata