From cc8f5f78b2437f50f0972433275b910b10d46717 Mon Sep 17 00:00:00 2001
From: Sergey Poznyakoff <gray@gnu.org>
Date: Sat, 28 Aug 2021 14:15:25 +0300
Subject: Handle invalid sparse entries in pax header

* src/sparse.c (pax_decode_header): Check if sp.offset+sp.numbytes
falls within the reported file size.  Check for possible integer
overflow.
---
 src/sparse.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/sparse.c b/src/sparse.c
index 2ebc6212..7587edb2 100644
--- a/src/sparse.c
+++ b/src/sparse.c
@@ -1309,7 +1309,9 @@ pax_decode_header (struct tar_sparse_file *file)
 	    }
 	  sp.offset = u;
 	  COPY_BUF (blk,nbuf,p);
-	  if (!decode_num (&u, nbuf, TYPE_MAXIMUM (off_t)))
+	  if (!decode_num (&u, nbuf, TYPE_MAXIMUM (off_t))
+	      || INT_ADD_OVERFLOW (sp.offset, u)
+	      || file->stat_info->stat.st_size < sp.offset + u)
 	    {
 	      ERROR ((0, 0, _("%s: malformed sparse archive member"),
 		      file->stat_info->orig_file_name));
-- 
cgit v1.2.1