From: Martin Matuska <martin@matuska.de>
Date: Mon, 8 Dec 2025 20:40:46 +0000 (+0100)
Subject: tar: fix off-bounds read resulting from #2787 (3150539ed)
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F2809%2Fhead;p=thirdparty%2Flibarchive.git

tar: fix off-bounds read resulting from #2787 (3150539ed)
---

diff --git a/tar/subst.c b/tar/subst.c
index a466f6535..53497ad0d 100644
--- a/tar/subst.c
+++ b/tar/subst.c
@@ -237,7 +237,7 @@ apply_substitution(struct bsdtar *bsdtar, const char *name, char **result,
 
 		char isEnd = 0;
 		do {
-            isEnd = *name == '\0';
+			isEnd = *name == '\0';
 			if (regexec(&rule->re, name, 10, matches, 0))
 				break;
 
@@ -293,13 +293,13 @@ apply_substitution(struct bsdtar *bsdtar, const char *name, char **result,
 
 			realloc_strcat(result, rule->result + j);
 			if (matches[0].rm_eo > 0) {
-                name += matches[0].rm_eo;
-            } else {
-                // We skip a character because the match is 0-length
-                // so we need to add it to the output
-                realloc_strncat(result, name, 1);
-                name += 1;
-            }
+				name += matches[0].rm_eo;
+			} else if (!isEnd) {
+				// We skip a character because the match is 0-length
+				// so we need to add it to the output
+				realloc_strncat(result, name, 1);
+				name += 1;
+			}
 		} while (rule->global && !isEnd); // Testing one step after because sed et al. run 0-length patterns a last time on the empty string at the end
 	}