From: Tim Kientzle <kientzle@acm.org>
Date: Mon, 30 Dec 2013 17:43:25 +0000 (-0800)
Subject: Be stricter about the checksum field; reduce false-positives on the bid
X-Git-Tag: v3.1.900a~334
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5be2fa91e5e6981a467ae349864e8b3a4ce251a6;p=thirdparty%2Flibarchive.git

Be stricter about the checksum field; reduce false-positives on the bid
---

diff --git a/libarchive/archive_read_support_format_tar.c b/libarchive/archive_read_support_format_tar.c
index f491639f8..b39298a10 100644
--- a/libarchive/archive_read_support_format_tar.c
+++ b/libarchive/archive_read_support_format_tar.c
@@ -798,6 +798,13 @@ checksum(struct archive_read *a, const void *h)
 	bytes = (const unsigned char *)h;
 	header = (const struct archive_entry_header_ustar *)h;
 
+	/* Checksum field must hold an octal number */
+	for (i = 0; i < sizeof(header->checksum); ++i) {
+		char c = header->checksum[i];
+		if (c != ' ' && c != '\0' && (c < '0' || c > '7'))
+			return 0;
+	}
+
 	/*
 	 * Test the checksum.  Note that POSIX specifies _unsigned_
 	 * bytes for this calculation.