Handle invalid sparse entries in pax header

author Sergey Poznyakoff <gray@gnu.org>

Sat, 28 Aug 2021 11:15:25 +0000 (14:15 +0300)

committer Sergey Poznyakoff <gray@gnu.org>

Sat, 28 Aug 2021 11:15:25 +0000 (14:15 +0300)
author Sergey Poznyakoff <gray@gnu.org>
Sat, 28 Aug 2021 11:15:25 +0000 (14:15 +0300)
committer Sergey Poznyakoff <gray@gnu.org>
Sat, 28 Aug 2021 11:15:25 +0000 (14:15 +0300)
diff --git a/src/sparse.c b/src/sparse.c

index 2ebc62121b19bdf7f8ff82188cda7e095cea5584..7587edb2bcec6f6e0c1c109af0a03759cd9922b4 100644 (file)
--- a/src/sparse.c
+++ b/src/sparse.c
@@ -1309,7 +1309,9 @@ pax_decode_header (struct tar_sparse_file *file)
             }
           sp.offset = u;
           COPY_BUF (blk,nbuf,p);
-         if (!decode_num (&u, nbuf, TYPE_MAXIMUM (off_t)))
+         if (!decode_num (&u, nbuf, TYPE_MAXIMUM (off_t))
+             || INT_ADD_OVERFLOW (sp.offset, u)
+             || file->stat_info->stat.st_size < sp.offset + u)
             {
               ERROR ((0, 0, _("%s: malformed sparse archive member"),
                       file->stat_info->orig_file_name));
author	Sergey Poznyakoff <gray@gnu.org>
	Sat, 28 Aug 2021 11:15:25 +0000 (14:15 +0300)
committer	Sergey Poznyakoff <gray@gnu.org>
	Sat, 28 Aug 2021 11:15:25 +0000 (14:15 +0300)