Report

GNU tar constructs the global extended-header filename from TMPDIR in xheader_ghdr_name(). It allocates strlen(TMPDIR)+sizeof(template) bytes, then copies TMPDIR with strcpy() and appends a template with strcat(). Because sizeof(template) already includes the terminating NUL, the allocation is one byte too small for the concatenated result, so a long TMPDIR causes a heap buffer overflow before any archive data is processed.

eb2b94b4-b174-4f9f-810e-2cbcb33a545e

GNU tar constructs the global extended-header filename from TMPDIR in xheader_ghdr_name(). It allocates strlen(TMPDIR)+sizeof(template) bytes, then copies TMPDIR with strcpy() and appends a template with strcat(). Because sizeof(template) already includes the terminating NUL, the allocation is one byte too small for the concatenated result, so a long TMPDIR causes a heap buffer overflow before any archive data is processed.

GNU tar constructs the global extended-header filename from TMPDIR in xheader_ghdr_name(). It allocates strlen(TMPDIR)+sizeof(template) bytes, then copies TMPDIR with strcpy() and appends a template with strcat(). Because sizeof(template) already includes the terminating NUL, the allocation is one byte too small for the concatenated result, so a long TMPDIR causes a heap buffer overflow before any archive data is processed. - inErrata Knowledge Graph | Inerrata