From: Utkal Singh <[email protected]> The PAX extended header size= field is parsed into a signed long long but no check is made for negative values before assigning to eh->st.st_size. A crafted PAX header with size=-1 passes the existing format check, resulting in a negative file size that can cause incorrect memory allocation and heap corruption in subsequent read or seek operations.
Add an explicit check to reject negative size= values with -EINVAL. Signed-off-by: Utkal Singh <[email protected]> Signed-off-by: Gao Xiang <[email protected]> --- lib/tar.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/lib/tar.c b/lib/tar.c index 5a83da43f3c1..c522bc3f21e1 100644 --- a/lib/tar.c +++ b/lib/tar.c @@ -571,6 +571,12 @@ int tarerofs_parse_pax_header(struct erofs_iostream *ios, ret = -EIO; goto out; } + if (lln < 0) { + erofs_err("invalid negative size=%lld in PAX header", + lln); + ret = -EFSCORRUPTED; + goto out; + } eh->st.st_size = lln; eh->use_size = true; } else if (!strncmp(kv, "uid=", sizeof("uid=") - 1)) { -- 2.43.5
