Hello, In decode_header(), assign_string_n() takes input from header.uname as value and also as size_t. [image: image.png] If value and n are both controlled, the "l" variable is prone to overflowing inside the xmalloc(l+1) which will under-allocate p, and over-copy value into it.
[image: image.png]
