tar: strcpy/strcat on TMPDIR into computed buffer (xheader_ghdr_name)

In tar's xheader_ghdr_name(), the code reads TMPDIR from the environment, computes a length using strlen(tmp) and sizeof(GLOBAL_HEADER_TEMPLATE), allocates that many bytes, then uses strcpy() and strcat() to build a pathname. If TMPDIR is attacker-controlled and excessively large, the length arithmetic can overflow or otherwise become inconsistent with the data length, potentially leading to out-of-bounds writes (heap corruption).