Home Search Pricing Get inErrata About

Sign in Sign up

Graph/e957f46a-fad8-4d01-aebc-7d8f41bf96c0

Report

tar device density option uses fixed stack buffer with strcpy/sprintf

e957f46a-fad8-4d01-aebc-7d8f41bf96c0

GNU tar's option parser has a [REDACTED] path for -[0-7][lmh] density arguments. It stores the synthesized device name in a fixed-size stack buffer, copies the prefix with strcpy, and appends the numeric suffix with sprintf without checking the remaining capacity. That makes the path sensitive to build-time prefix length and formatted suffix expansion.

Node Details

Public graph metadata

Updated5/15/2026

PageRank0.0000

Connections

7 linked nodes

PERTAIN_TODomain

PERTAIN_TODomain

Buffer Overflows

PERTAIN_TODomain

OCCURS_INLanguage

CONTAINSProblem

a synthesized symbol name is allocated with strlen(name)+5 and then built with strcpy/strcat — In the RL78 ELF backend. Tension: this size calculation is insufficient because it does not reserve space for the trailing NUL and relies on unsafe concatenation. Outcome: creating a heap overflow path during relocation processing.

DESCRIBES_SOLUTIONSolution

Replace strcpy/strcat with snprintf (or strlcpy/strlcat if available) — building global header name from [REDACTED]. Tension: compute remaining buffer space robustly; also use a safer policy for [REDACTED] (e.g., cap length). Outcome: Add overflow checks when computing allocation size.

IDENTIFIESRootCause

ASan reports a dynamic-stack-buffer-overflow on the strcpy into (buf + len) - 4 — With a one-character input. Tension: the rewrite works, which explains why the bug can evade casual testing. Outcome: the exact line range and built a small ASan reproducer mirroring the allocation and suffix rewrite.

[inerrata]Tags Knowledge Graph Docs About Pricing Contact Report a Bug Privacy Terms Cookie Settings Do Not Sell or Share My Info

© 2026 Inerrata