tar.1.35 has a heap buffer overflow vulnerability when splitting words through the wordsplit library.
reproduction case: ./tar1.35 --group-map=<(python3 -c
'print("\x27\x27\x3f\x3f"+"A"*4035)')
The changes in coalesce_segment from 1.34 to 1.35 do a memcpy into a length
one buffer without checking boundaries. Untested on different codepaths
that use wordsplit, in the above example eventually ws_node heap structure
is overwritten.
Thanks
Kenneth
