struct archive_entry *, int64_t *);
static int tohex(int c);
static char *url_decode(const char *, size_t);
-static void tar_flush_unconsumed(struct archive_read *, int64_t *);
+static int tar_flush_unconsumed(struct archive_read *, int64_t *);
/* Sanity limits: These numbers should be low enough to
* prevent a maliciously-crafted archive from forcing us to
* how much unconsumed data we have floating around, and to consume
* anything outstanding since we're going to do read_aheads
*/
-static void
+static int
tar_flush_unconsumed(struct archive_read *a, int64_t *unconsumed)
{
if (*unconsumed) {
memset(data, 0xff, *unconsumed);
}
*/
- __archive_read_consume(a, *unconsumed);
+ int64_t consumed = __archive_read_consume(a, *unconsumed);
+ if (consumed != *unconsumed) {
+ return (ARCHIVE_FATAL);
+ }
*unconsumed = 0;
}
+ return (ARCHIVE_OK);
}
/*
/* Find the next valid header record. */
while (1) {
- tar_flush_unconsumed(a, unconsumed);
+ if (tar_flush_unconsumed(a, unconsumed) != ARCHIVE_OK) {
+ return (ARCHIVE_FATAL);
+ }
/* Read 512-byte header record */
h = __archive_read_ahead(a, 512, &bytes);
/* This is NOT a null block, so it must be a valid header. */
if (!checksum(a, h)) {
- tar_flush_unconsumed(a, unconsumed);
+ if (tar_flush_unconsumed(a, unconsumed) != ARCHIVE_OK) {
+ return (ARCHIVE_FATAL);
+ }
archive_set_error(&a->archive, EINVAL,
"Damaged tar archive (bad header checksum)");
/* If we've read some critical information (pax headers, etc)
header = (const struct archive_entry_header_ustar *)h;
size = tar_atol(header->size, sizeof(header->size));
- if (size > (int64_t)pathname_limit) {
+ if (size < 0 || size > (int64_t)pathname_limit) {
return (ARCHIVE_FATAL);
}
to_consume = ((size + 511) & ~511);
return (ARCHIVE_FATAL);
}
- tar_flush_unconsumed(a, unconsumed);
+ if (tar_flush_unconsumed(a, unconsumed) != ARCHIVE_OK) {
+ return (ARCHIVE_FATAL);
+ }
/* Read the body into the string. */
src = __archive_read_ahead(a, size, NULL);
* Q: Is the above idea really possible? Even
* when there are GNU or pax extension entries?
*/
- tar_flush_unconsumed(a, unconsumed);
+ if (tar_flush_unconsumed(a, unconsumed) != ARCHIVE_OK) {
+ return (ARCHIVE_FATAL);
+ }
data = __archive_read_ahead(a, msize, NULL);
if (data == NULL) {
archive_set_error(&a->archive, EINVAL,
(long long)ext_size, (long long)ext_size_limit);
return (ARCHIVE_WARN);
}
- tar_flush_unconsumed(a, unconsumed);
+ if (tar_flush_unconsumed(a, unconsumed) != ARCHIVE_OK) {
+ return (ARCHIVE_FATAL);
+ }
/* Parse the size/name of each pax attribute in the body */
archive_string_init(&attr_name);
/* Consume size, name, and `=` */
*unconsumed += p - attr_start;
- tar_flush_unconsumed(a, unconsumed);
+ if (tar_flush_unconsumed(a, unconsumed) != ARCHIVE_OK) {
+ return (ARCHIVE_FATAL);
+ }
if (value_length == 0) {
archive_set_error(&a->archive, EINVAL,
err = err_combine(err, r);
/* Consume the `\n` that follows the pax attribute value. */
- tar_flush_unconsumed(a, unconsumed);
+ if (tar_flush_unconsumed(a, unconsumed) != ARCHIVE_OK) {
+ return (ARCHIVE_FATAL);
+ }
p = __archive_read_ahead(a, 1, &did_read);
if (p == NULL) {
archive_set_error(&a->archive, EINVAL,
}
ext_size -= 1;
*unconsumed += 1;
- tar_flush_unconsumed(a, unconsumed);
+ if (tar_flush_unconsumed(a, unconsumed) != ARCHIVE_OK) {
+ return (ARCHIVE_FATAL);
+ }
}
*unconsumed += ext_size + ext_padding;
archive_string_init(&as);
r = read_bytes_to_string(a, &as, value_length, &unconsumed);
- tar_flush_unconsumed(a, &unconsumed);
+ if (tar_flush_unconsumed(a, &unconsumed) != ARCHIVE_OK) {
+ return (ARCHIVE_FATAL);
+ }
if (r < ARCHIVE_OK) {
archive_string_free(&as);
*result = 0;
return (ARCHIVE_OK);
do {
- tar_flush_unconsumed(a, unconsumed);
+ if (tar_flush_unconsumed(a, unconsumed) != ARCHIVE_OK) {
+ return (ARCHIVE_FATAL);
+ }
data = __archive_read_ahead(a, 512, &bytes_read);
if (data == NULL) {
archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT,
return (ARCHIVE_FATAL);
}
/* Skip rest of block... */
- tar_flush_unconsumed(a, unconsumed);
+ if (tar_flush_unconsumed(a, unconsumed) != ARCHIVE_OK) {
+ return (ARCHIVE_FATAL);
+ }
bytes_read = tar->entry_bytes_remaining - remaining;
to_skip = 0x1ff & -bytes_read;
/* Fail if tar->entry_bytes_remaing would get negative */
const char *s;
void *p;
- tar_flush_unconsumed(a, unconsumed);
+ if (tar_flush_unconsumed(a, unconsumed) != ARCHIVE_OK) {
+ return (ARCHIVE_FATAL);
+ }
t = __archive_read_ahead(a, 1, &bytes_read);
if (bytes_read <= 0 || t == NULL)
--- /dev/null
+/*-
+ * Copyright (c) 2025 Tim Kientzle
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR(S) ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR(S) BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+#include "test.h"
+
+DEFINE_TEST(test_read_format_tar_V_negative_size)
+{
+ /*
+ * An archive that contains a `V` volume header with a negative body size
+ *
+ * This used to lead to an infinite loop: the tar reader would "advance"
+ * by the size of the body to skip it, which would in this case end up
+ * reversing back to the beginning of the same header.
+ */
+ struct archive_entry *ae;
+ struct archive *a;
+ const char *refname = "test_read_format_tar_V_negative_size.tar";
+
+ extract_reference_file(refname);
+ assert((a = archive_read_new()) != NULL);
+ assertEqualInt(ARCHIVE_OK, archive_read_support_filter_all(a));
+ assertEqualInt(ARCHIVE_OK, archive_read_support_format_all(a));
+ assertEqualIntA(a, ARCHIVE_OK, archive_read_open_filename(a, refname, 10240));
+ assertEqualIntA(a, ARCHIVE_FATAL, archive_read_next_header(a, &ae));
+ assertEqualIntA(a, ARCHIVE_OK, archive_read_close(a));
+ assertEqualInt(ARCHIVE_OK, archive_read_free(a));
+}
projects / thirdparty / libarchive.git / commitdiff
