Handle invalid sparse entries in pax header

* src/sparse.c (pax_decode_header): Check if sp.offset+sp.numbytes falls within the reported file size. Check for possible integer overflow.
2021-08-28 14:15:25 +03:00
parent 193eb8f81d
commit cc8f5f78b2
1 changed files with 3 additions and 1 deletions
--- a/src/sparse.c
+++ b/src/sparse.c
@@ -1309,7 +1309,9 @@ pax_decode_header (struct tar_sparse_file *file)
 	    }
 	  sp.offset = u;
 	  COPY_BUF (blk,nbuf,p);
-	  if (!decode_num (&u, nbuf, TYPE_MAXIMUM (off_t)))
+	  if (!decode_num (&u, nbuf, TYPE_MAXIMUM (off_t))
+	      || INT_ADD_OVERFLOW (sp.offset, u)
+	      || file->stat_info->stat.st_size < sp.offset + u)
 	    {
 	      ERROR ((0, 0, _("%s: malformed sparse archive member"),
 		      file->stat_info->orig_file_name));