diff options
Diffstat (limited to 'src/3rdparty/libarchive/libarchive/archive_read_support_format_tar.c')
-rw-r--r-- | src/3rdparty/libarchive/libarchive/archive_read_support_format_tar.c | 20 |
1 files changed, 17 insertions, 3 deletions
diff --git a/src/3rdparty/libarchive/libarchive/archive_read_support_format_tar.c b/src/3rdparty/libarchive/libarchive/archive_read_support_format_tar.c index bfdad7f8..93c3fd58 100644 --- a/src/3rdparty/libarchive/libarchive/archive_read_support_format_tar.c +++ b/src/3rdparty/libarchive/libarchive/archive_read_support_format_tar.c @@ -407,14 +407,13 @@ archive_read_format_tar_bid(struct archive_read *a, int best_bid) /* * Check format of mode/uid/gid/mtime/size/rdevmajor/rdevminor fields. */ - if (bid > 0 && ( - validate_number_field(header->mode, sizeof(header->mode)) == 0 + if (validate_number_field(header->mode, sizeof(header->mode)) == 0 || validate_number_field(header->uid, sizeof(header->uid)) == 0 || validate_number_field(header->gid, sizeof(header->gid)) == 0 || validate_number_field(header->mtime, sizeof(header->mtime)) == 0 || validate_number_field(header->size, sizeof(header->size)) == 0 || validate_number_field(header->rdevmajor, sizeof(header->rdevmajor)) == 0 - || validate_number_field(header->rdevminor, sizeof(header->rdevminor)) == 0)) { + || validate_number_field(header->rdevminor, sizeof(header->rdevminor)) == 0) { bid = 0; } @@ -2108,6 +2107,21 @@ pax_attribute(struct archive_read *a, struct tar *tar, /* "size" is the size of the data in the entry. */ tar->entry_bytes_remaining = tar_atol10(value, strlen(value)); + if (tar->entry_bytes_remaining < 0) { + tar->entry_bytes_remaining = 0; + archive_set_error(&a->archive, + ARCHIVE_ERRNO_MISC, + "Tar size attribute is negative"); + return (ARCHIVE_FATAL); + } + if (tar->entry_bytes_remaining == INT64_MAX) { + /* Note: tar_atol returns INT64_MAX on overflow */ + tar->entry_bytes_remaining = 0; + archive_set_error(&a->archive, + ARCHIVE_ERRNO_MISC, + "Tar size attribute overflow"); + return (ARCHIVE_FATAL); + } /* * The "size" pax header keyword always overrides the * "size" field in the tar header. |