From 39324fcf28f67d072909b6e385f6d07b142457c5 Mon Sep 17 00:00:00 2001
From: Michael Schroeder <mls@suse.de>
Date: Tue, 5 Aug 2025 11:57:14 +0200
Subject: [PATCH] repo_arch: limit the package entry size

---
 ext/repo_arch.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/ext/repo_arch.c b/ext/repo_arch.c
index 4221b058..1bea691c 100644
--- a/ext/repo_arch.c
+++ b/ext/repo_arch.c
@@ -23,6 +23,8 @@
 #include "tarhead.h"
 #include "repo_arch.h"
 
+#define MAX_ENTRY_SIZE        0x1000000
+
 static Offset
 adddep(Repo *repo, Offset olddeps, char *line)
 {
@@ -98,7 +100,7 @@ repo_add_arch_pkg(Repo *repo, const char *fn, int flags)
   tarhead_init(&th, fp);
   while (tarhead_next(&th) > 0)
     {
-      if (th.type != 1 || strcmp(th.path, ".PKGINFO") != 0)
+      if (th.type != 1 || strcmp(th.path, ".PKGINFO") != 0 || th.length > MAX_ENTRY_SIZE)
 	{
           tarhead_skip(&th);
 	  continue;
@@ -467,7 +469,7 @@ repo_add_arch_repo(Repo *repo, FILE *fp, int flags)
   while (tarhead_next(&th) > 0)
     {
       char *bn;
-      if (th.type != 1)
+      if (th.type != 1 || th.length > MAX_ENTRY_SIZE)
 	{
           tarhead_skip(&th);
 	  continue;
-- 
2.47.2