Hello,
I have noticed while auditing tar decode_options() function, that new_argc
is prone to integer overflow.
In the case of handling arguments, if no "-" is provided and the arguments
provided are near max_int it will overflow resulting in under-allocation of
the new_argv[].
In practice this
Hello,
In decode_header(), assign_string_n() takes input from header.uname as
value and also as size_t.
[image: image.png]
If value and n are both controlled, the "l" variable is prone to
overflowing inside the xmalloc(l+1)
which will under-allocate p, and over-copy value into it.
[image: image.
my bad, I missed that uname is of max size 31.
Le lun. 23 déc. 2024 à 15:37, exploit dev a écrit :
> Hello,
>
> In decode_header(), assign_string_n() takes input from header.uname as
> value and also as size_t.
> [image: image.png]
> If value and n are both controlled, t
