git.ipfire.org Git - thirdparty/libarchive.git/commit

author	Tim Kientzle <kientzle@acm.org>
	Tue, 16 Sep 2025 15:25:57 +0000 (08:25 -0700)
committer	Tim Kientzle <kientzle@acm.org>
	Tue, 16 Sep 2025 15:25:57 +0000 (08:25 -0700)
commit	36a530973a918f6e6bf34cfee289dbaf5b02b01a
tree	f0213986711e87f40daac395468103df0c6ba861	tree \| snapshot
parent	589659ed7fe15cee514dda3dea81f4053de5a3f3	commit \| diff

Fix an infinite loop when parsing `V` headers

Our tar header parsing tracks a count of bytes that need to be
consumed from the input.  After each header, we skip this many bytes,
discard them, and reset the count to zero.  The `V` header parsing
added the size of the `V` entry body to this count, but failed to
check whether that size was negative.  A negative size (from
overflowing the 64-bit signed number parsing) would decrement this
count, potentially leading us to consume zero bytes and leading to an
infinite loop parsing the same header over and over.

There are two fixes here:
* Check for a negative size for the `V` body
* Check for errors when skipping the bytes that
  need to be consumed

Thanks to Zhang Tianyi from Wuhan University for finding
and reporting this issue.