From: Tim Kientzle <kientzle@acm.org>
Date: Wed, 5 Nov 2025 03:30:01 +0000 (-0800)
Subject: Merge pull request #2775 from AZero13/off-by-one
X-Git-Tag: v3.8.3~10
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=30ca142b35a08fef7f43e6d410260318a661eb76;p=thirdparty%2Flibarchive.git

Merge pull request #2775 from AZero13/off-by-one

[tar] Bounds check newdir_len

(cherry picked from commit 26c769ecdc0b9f4dd8f2d6e24d17a975cb9c9a9b)
---

diff --git a/tar/util.c b/tar/util.c
index fc5e15cb0..6e41e49de 100644
--- a/tar/util.c
+++ b/tar/util.c
@@ -314,7 +314,10 @@ set_chdir(struct bsdtar *bsdtar, const char *newdir)
 		/* The -C /foo -C bar case; concatenate */
 		char *old_pending = bsdtar->pending_chdir;
 		size_t old_len = strlen(old_pending);
-        size_t new_len = old_len + strlen(newdir) + 2;
+		size_t newdir_len = strlen(newdir);
+		size_t new_len = old_len + newdir_len + 2;
+		if (old_len > SIZE_MAX - newdir_len - 2)
+		    lafe_errc(1, errno, "Path too long");
 		bsdtar->pending_chdir = malloc(new_len);
 		if (old_pending[old_len - 1] == '/')
 			old_pending[old_len - 1] = '\0';