Merge pull request #2644 from stoeckmann/tar_neg_size

tar: Always treat negative sizes as error
(cherry picked from commit d261f46ae57f115a48c0bef10643753cb305a9a5)

diff --git a/libarchive/archive_read_support_format_tar.c b/libarchive/archive_read_support_format_tar.c
index f142c67a195683669073c70cf3d72333854ef693..89875f64da2b66bd1612ea7f4ff6551c36c77871 100644 (file)
--- a/libarchive/archive_read_support_format_tar.c
+++ b/libarchive/archive_read_support_format_tar.c
@@ -1304,10 +1304,13 @@ read_body_to_string(struct archive_read *a, struct tar *tar,
        (void)tar; /* UNUSED */
        header = (const struct archive_entry_header_ustar *)h;
        size  = tar_atol(header->size, sizeof(header->size));
-       if (size > entry_limit) {
+       if (size < 0 || size > entry_limit) {
+               archive_set_error(&a->archive, EINVAL,
+                   "Special header has invalid size: %lld",
+                   (long long)size);
                return (ARCHIVE_FATAL);
        }
-       if ((size > (int64_t)pathname_limit) || (size < 0)) {
+       if (size > (int64_t)pathname_limit) {
                archive_string_empty(as);
                int64_t to_consume = ((size + 511) & ~511);
                if (to_consume != __archive_read_consume(a, to_consume)) {
@@ -1754,7 +1757,10 @@ header_pax_global(struct archive_read *a, struct tar *tar,
 
        header = (const struct archive_entry_header_ustar *)h;
        size = tar_atol(header->size, sizeof(header->size));
-       if (size > entry_limit) {
+       if (size < 0 || size > entry_limit) {
+               archive_set_error(&a->archive, EINVAL,
+                   "Special header has invalid size: %lld",
+                   (long long)size);
                return (ARCHIVE_FATAL);
        }
        to_consume = ((size + 511) & ~511);