On Thu, Sep 07, 2017 at 09:53:50PM +0200, Otto Moerbeek wrote:
> So make len long and add a value check to make sure the unsigned long
> to long assignment is safe.
>
> OK?
OK bluhm@
> Index: tar.c
> ===================================================================
> RCS file: /cvs/src/bin/pax/tar.c,v
> retrieving revision 1.63
> diff -u -p -r1.63 tar.c
> --- tar.c 26 Aug 2016 04:11:16 -0000 1.63
> +++ tar.c 7 Sep 2017 19:48:58 -0000
> @@ -1209,7 +1209,8 @@ static int
> rd_xheader(ARCHD *arcn, int global, off_t size)
> {
> char buf[MAXXHDRSZ];
> - unsigned long len;
> + unsigned long ulen;
> + long len;
> char *delim, *keyword;
> char *nextp, *p, *end;
> int pad, ret = 0;
> @@ -1247,13 +1248,14 @@ rd_xheader(ARCHD *arcn, int global, off_
> break;
> }
> errno = 0;
> - len = strtoul(p, &delim, 10);
> - if (*delim != ' ' || (errno == ERANGE && len == ULONG_MAX) ||
> - len < MINXHDRSZ) {
> + ulen = strtoul(p, &delim, 10);
> + if (*delim != ' ' || (errno == ERANGE && ulen == ULONG_MAX) ||
> + ulen < MINXHDRSZ || ulen > LONG_MAX) {
> paxwarn(1, "Invalid extended header record length");
> ret = -1;
> break;
> }
> + len = ulen;
> if (len > end - p) {
> paxwarn(1, "Extended header record length %lu is "
> "out of range", len);
