From: Utkal Singh <[email protected]>

The PAX extended header size= field is parsed into a signed long
long but no check is made for negative values before assigning to
eh->st.st_size. A crafted PAX header with size=-1 passes the
existing format check, resulting in a negative file size that can
cause incorrect memory allocation and heap corruption in subsequent
read or seek operations.

Add an explicit check to reject negative size= values with -EINVAL.

Signed-off-by: Utkal Singh <[email protected]>
Signed-off-by: Gao Xiang <[email protected]>
---
 lib/tar.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/lib/tar.c b/lib/tar.c
index 5a83da43f3c1..c522bc3f21e1 100644
--- a/lib/tar.c
+++ b/lib/tar.c
@@ -571,6 +571,12 @@ int tarerofs_parse_pax_header(struct erofs_iostream *ios,
                                        ret = -EIO;
                                        goto out;
                                }
+                               if (lln < 0) {
+                                       erofs_err("invalid negative size=%lld 
in PAX header",
+                                                 lln);
+                                       ret = -EFSCORRUPTED;
+                                       goto out;
+                               }
                                eh->st.st_size = lln;
                                eh->use_size = true;
                        } else if (!strncmp(kv, "uid=", sizeof("uid=") - 1)) {
-- 
2.43.5


Reply via email to