Please see this test case for cpio 2.11: http://lcamtuf.coredump.cx/afl/vulns/lesspipe-cpio-bad-write.cpio
As far as I can tell, it's a file with declared length field of (int)-1. That gets us to this portion of code in copyin.c (list_file()), with c_filesize just taken from the input file: link_name = (char *) xmalloc ((unsigned int) file_hdr->c_filesize + 1); link_name[file_hdr->c_filesize] = '\0'; ...cpio ends up allocating a zero-sized buffer and then writing out of bounds, which could conceivably pose a security risk when trying to examine untrusted archives (e.g., when invoked from lesspipe). /mz
