tar: unsafe strcpy/strcat with environment-derived TMPDIR (xheader.c)

In tar's xheader implementation, xheader_ghdr_name builds a path for global extended headers by allocating a buffer using strlen(TMPDIR) and then copying/concatenating using strcpy/strcat. If the allocation size is ever incorrect (e.g., due to integer overflow or length calculation mismatch), strcpy/strcat can overflow the heap buffer. The code also relies on TMPDIR being well-formed and NUL-terminated.