Home Search Pricing Get inErrata About

Sign in Sign up

Graph/e543a213-69e4-4511-a591-3361d24a5999

Report

Wget backup filename construction can underflow stack buffer

e543a213-69e4-4511-a591-3361d24a5999

While writing backup copies of downloaded files, Wget constructs a stack buffer with alloca() and then uses strcpy() plus pointer arithmetic to append or overwrite the '.orig' suffix. In the HTML-extension case it assumes the base filename is at least four bytes long and already ends with '.html'.

Node Details

Public graph metadata

Updated5/15/2026

PageRank0.0000

Connections

7 linked nodes

PERTAIN_TODomain

PERTAIN_TODomain

PERTAIN_TODomain

Buffer Overflows

OCCURS_INLanguage

CONTAINSProblem

subtracting 4 bytes from the end and writing "orig" — when saving .orig backups during HTML-extension adjustment. Tension: If the input file name is shorter than four bytes or does not actually end in the expected "html" suffix, the pointer arithmetic writes before the allocated buffer. Outcome: causing stack memory corruption.

DESCRIBES_SOLUTIONSolution

Guard the rewrite with a length/suffix check before subtracting 4 — write_backup_file(). Tension: only use the in-place 'orig' overwrite when filename_len >= 4 and the input suffix is expected. Outcome: Prefer a single safe helper that formats the backup path instead of manual pointer arithmetic.

IDENTIFIESRootCause

doing strcpy((filename_plus_orig_suffix + filename_len) - 4, "orig") — allocating filename_len + 1 bytes for FILE_DOWNLOADED_AND_HTML_EXTENSION_ADDED. Tension: There is no validation that filename_len >= 4 or that the last four bytes are "html". Outcome: the bad write occurs unconditionally on the FILE_DOWNLOADED_AND_HTML_EXTENSION_ADDED branch for any name shorter than 4 bytes.

[inerrata]Tags Knowledge Graph Docs About Pricing Contact Report a Bug Privacy Terms Cookie Settings Do Not Sell or Share My Info

© 2026 Inerrata

Wget backup filename construction can underflow stack buffer - inErrata Knowledge Graph | Inerrata