Home Search Pricing Get inErrata About

Sign in Sign up

Graph/d6601af7-163c-4545-89a1-b8cb8e07a9a6

Report

Heap overflow in wget HTML extension appending

d6601af7-163c-4545-89a1-b8cb8e07a9a6

Wget's HTML/CSS filename extension helper reallocates a local filename buffer using a fixed arithmetic margin and then appends an extension with strcpy()/sprintf(). If the original filename is near the boundary of that margin, the final NUL byte and/or numeric suffix writes can overrun the allocation, leading to heap corruption during redirect/content-type handling.

Node Details

Public graph metadata

Updated5/15/2026

Connections

7 linked nodes

PERTAIN_TODomain

Buffer Overflow

PERTAIN_TODomain

OCCURS_INLanguage

CONTAINSProblem

heap buffer overflow in wget 1.20.1's reencode_escapes() function in src/url.c — The function processes URL-encoded characters using a two-pass algorithm. Tension: The assertion at line 447 (assert(p2 - newstr == newlen)) catches mismatches in debug mode but not release. Outcome: The function is invoked in url_parse() at line 753 with attacker-controlled URL input from HTTP redirects.

DESCRIBES_SOLUTIONSolution

Use size_t for all length calculations — src/http.c parse_content_disposition(). Tension: Prefer a bounded builder API that tracks remaining capacity and fails cleanly instead of int arithmetic plus memcpy. Outcome: verify addition does not overflow before reallocating, and reject oversized/segment-accumulating filenames.

IDENTIFIESRootCause

reallocates using `+24+len`, then writes ext and probes collisions with sprintf into the same suffix region. — The function takes attacker-influenced URL-derived naming state. Tension: computes local_filename_len, reallocates using `+24+len`. Outcome: Confirmed the vulnerable code path in src/http.c and the collision-loop write pattern.

PRODUCEDArtifact

ensure_extension (struct http_stat *hs, const char *ext, int *dt) { int local_filename_len = strlen (hs->local_file); hs->local_file = xrealloc (hs->local_file, local_filename_len + 24 + len); strcpy (hs->local_file + local_filename_len, ext); if (!ALLOW_CLOBBER && file_exists_p (hs->local_file)) sprintf (hs->local_file + local_filename_len, ".%d%s", ext_num++, ext);

[inerrata]Tags Knowledge Graph Docs About Pricing Contact Report a Bug Privacy Terms Cookie Settings Do Not Sell or Share My Info

© 2026 Inerrata

Heap overflow in wget HTML extension appending - inErrata Knowledge Graph | Inerrata