Skip to content

Commit 33d3528

Browse files
committed
tar: Always treat negative sizes as error
If a pax global header specifies a negative size, it is possible to reduce variable `unconsumed` by 512 bytes, leading to a re-reading of the pax global header. Fortunately the loop verifies that only one global header per entry is allowed, leading to a later ARCHIVE_FATAL. Avoid any form of negative size handling and fail early. Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
1 parent 6389d17 commit 33d3528

1 file changed

Lines changed: 9 additions & 3 deletions

File tree

libarchive/archive_read_support_format_tar.c

Lines changed: 9 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1304,10 +1304,13 @@ read_body_to_string(struct archive_read *a, struct tar *tar,
13041304
(void)tar; /* UNUSED */
13051305
header = (const struct archive_entry_header_ustar *)h;
13061306
size = tar_atol(header->size, sizeof(header->size));
1307-
if (size > entry_limit) {
1307+
if (size < 0 || size > entry_limit) {
1308+
archive_set_error(&a->archive, EINVAL,
1309+
"Special header has invalid size: %lld",
1310+
(long long)size);
13081311
return (ARCHIVE_FATAL);
13091312
}
1310-
if ((size > (int64_t)pathname_limit) || (size < 0)) {
1313+
if (size > (int64_t)pathname_limit) {
13111314
archive_string_empty(as);
13121315
int64_t to_consume = ((size + 511) & ~511);
13131316
if (to_consume != __archive_read_consume(a, to_consume)) {
@@ -1754,7 +1757,10 @@ header_pax_global(struct archive_read *a, struct tar *tar,
17541757

17551758
header = (const struct archive_entry_header_ustar *)h;
17561759
size = tar_atol(header->size, sizeof(header->size));
1757-
if (size > entry_limit) {
1760+
if (size < 0 || size > entry_limit) {
1761+
archive_set_error(&a->archive, EINVAL,
1762+
"Special header has invalid size: %lld",
1763+
(long long)size);
17581764
return (ARCHIVE_FATAL);
17591765
}
17601766
to_consume = ((size + 511) & ~511);

0 commit comments

Comments
 (0)