From: Tobias Stoeckmann Date: Tue, 27 May 2025 18:30:01 +0000 (+0200) Subject: tar: Always treat negative sizes as error X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F2644%2Fhead;p=thirdparty%2Flibarchive.git tar: Always treat negative sizes as error If a pax global header specifies a negative size, it is possible to reduce variable `unconsumed` by 512 bytes, leading to a re-reading of the pax global header. Fortunately the loop verifies that only one global header per entry is allowed, leading to a later ARCHIVE_FATAL. Avoid any form of negative size handling and fail early. Signed-off-by: Tobias Stoeckmann --- diff --git a/libarchive/archive_read_support_format_tar.c b/libarchive/archive_read_support_format_tar.c index 1cc667169..52612fc37 100644 --- a/libarchive/archive_read_support_format_tar.c +++ b/libarchive/archive_read_support_format_tar.c @@ -1304,10 +1304,13 @@ read_body_to_string(struct archive_read *a, struct tar *tar, (void)tar; /* UNUSED */ header = (const struct archive_entry_header_ustar *)h; size = tar_atol(header->size, sizeof(header->size)); - if (size > entry_limit) { + if (size < 0 || size > entry_limit) { + archive_set_error(&a->archive, EINVAL, + "Special header has invalid size: %lld", + (long long)size); return (ARCHIVE_FATAL); } - if ((size > (int64_t)pathname_limit) || (size < 0)) { + if (size > (int64_t)pathname_limit) { archive_string_empty(as); int64_t to_consume = ((size + 511) & ~511); if (to_consume != __archive_read_consume(a, to_consume)) { @@ -1754,7 +1757,10 @@ header_pax_global(struct archive_read *a, struct tar *tar, header = (const struct archive_entry_header_ustar *)h; size = tar_atol(header->size, sizeof(header->size)); - if (size > entry_limit) { + if (size < 0 || size > entry_limit) { + archive_set_error(&a->archive, EINVAL, + "Special header has invalid size: %lld", + (long long)size); return (ARCHIVE_FATAL); } to_consume = ((size + 511) & ~511);