diff options
author | Sergey Poznyakoff <gray@gnu.org> | 2021-08-28 14:15:25 +0300 |
---|---|---|
committer | Sergey Poznyakoff <gray@gnu.org> | 2021-08-28 14:15:25 +0300 |
commit | cc8f5f78b2437f50f0972433275b910b10d46717 (patch) | |
tree | dc96b83f90d6fb6e0b440ad2329876775cff2a12 | |
parent | 193eb8f81d8fbf7b1f3bd2b93f60882e56325d72 (diff) | |
download | tar-cc8f5f78b2437f50f0972433275b910b10d46717.tar.gz |
Handle invalid sparse entries in pax header
* src/sparse.c (pax_decode_header): Check if sp.offset+sp.numbytes
falls within the reported file size. Check for possible integer
overflow.
-rw-r--r-- | src/sparse.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/src/sparse.c b/src/sparse.c index 2ebc6212..7587edb2 100644 --- a/src/sparse.c +++ b/src/sparse.c @@ -1309,7 +1309,9 @@ pax_decode_header (struct tar_sparse_file *file) } sp.offset = u; COPY_BUF (blk,nbuf,p); - if (!decode_num (&u, nbuf, TYPE_MAXIMUM (off_t))) + if (!decode_num (&u, nbuf, TYPE_MAXIMUM (off_t)) + || INT_ADD_OVERFLOW (sp.offset, u) + || file->stat_info->stat.st_size < sp.offset + u) { ERROR ((0, 0, _("%s: malformed sparse archive member"), file->stat_info->orig_file_name)); |