From 3c7a6dc6694d9b26400d2bd672e04d09ed8a4276 Mon Sep 17 00:00:00 2001
From: Tim Kientzle <kientzle@acm.org>
Date: Sun, 26 Jul 2015 17:09:22 -0700
Subject: [PATCH] Issue #582: reject sparse blocks with negative size or
 offset, detect overflow when tracking sparse blocks

---
 libarchive/archive_read_support_format_tar.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/libarchive/archive_read_support_format_tar.c b/libarchive/archive_read_support_format_tar.c
index 1e780936b..01d85cf6a 100644
--- a/libarchive/archive_read_support_format_tar.c
+++ b/libarchive/archive_read_support_format_tar.c
@@ -604,8 +604,12 @@ archive_read_format_tar_skip(struct archive_read *a)
 	/* Do not consume the hole of a sparse file. */
 	request = 0;
 	for (p = tar->sparse_list; p != NULL; p = p->next) {
-		if (!p->hole)
+		if (!p->hole) {
+			if (p->remaining >= INT64_MAX - request) {
+				return ARCHIVE_FATAL;
+			}
 			request += p->remaining;
+		}
 	}
 	if (request > tar->entry_bytes_remaining)
 		request = tar->entry_bytes_remaining;
@@ -2123,6 +2127,10 @@ gnu_add_sparse_entry(struct archive_read *a, struct tar *tar,
 	else
 		tar->sparse_list = p;
 	tar->sparse_last = p;
+	if (remaining < 0 || offset < 0) {
+		archive_set_error(&a->archive, ARCHIVE_ERRNO_MISC, "Malformed sparse map data");
+		return (ARCHIVE_FATAL);
+	}
 	p->offset = offset;
 	p->remaining = remaining;
 	return (ARCHIVE_OK);
-- 
2.47.2