<div dir="ltr">On 2026/3/16, Gao Xiang wrote:<br>> please just follow the format like this, you need to compress it<br>> to avoid too long message<br><br>Thank you for the guidance. Here is the compressed reproducer:<br><br>Reproducible image (base64-encoded gzipped blob):<br>H4sIAKe8t2kC/9PTD0is8EhNTEktKtYvSS0uYaA+MAACMxMTMA0E6LSBgaExgg0WNzcHCilUMIwC<br>WgNDY4XizKpUW11DrtHAGAWjYBSMghEEAM45fzIACAAA<br><br>Thanks,<br>Utkal Singh</div><br><div class="gmail_quote gmail_quote_container"><div dir="ltr" class="gmail_attr">On Mon, 16 Mar 2026 at 13:33, Gao Xiang <<a href="mailto:hsiangkao@linux.alibaba.com">hsiangkao@linux.alibaba.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><br>
<br>
On 2026/3/16 15:58, Utkal Singh wrote:<br>
> The PAX extended header size= field is parsed into a signed long<br>
> long but no check is made for negative values before assigning to<br>
> eh->st.st_size. A crafted PAX header with size=-1 passes the<br>
> existing format check, resulting in a negative file size that can<br>
> cause incorrect memory allocation and heap corruption in subsequent<br>
> read or seek operations.<br>
> <br>
> Add an explicit check to reject negative size= values with -EINVAL.<br>
> <br>
> Reproducer (base64-encoded minimal crafted tar):<br>
>    echo "Li9QYXhIZWFkZXJzL3Rlc3QAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADAwMDA2NjYAMDAwMDAwMAAwMDAwMDAwADAwMDAwMDAwMDEzADAwMDAwMDAwMDAwADAxMTA3NgAgeAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB1c3RhciAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAxMyBzaXplPS0xCgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=" | base64 -d > crafted-negative-size.tar<br>
>    mkfs.erofs --tar=f out.img < crafted-negative-size.tar<br>
<br>
please just follow the format like this, you need to compress it<br>
to avoid too long message:<br>
<br>
commit ab858f291a1a<br>
Author: Gao Xiang <<a href="mailto:hsiangkao@linux.alibaba.com" target="_blank">hsiangkao@linux.alibaba.com</a>><br>
Date:   Wed Sep 24 15:17:46 2025 +0800<br>
<br>
     erofs-utils: dump: avoid SIGSEGV when time cannot be represented<br>
<br>
     Just show the raw time in seconds since the UNIX epoch instead.<br>
<br>
     Reproducible image (base64-encoded gzipped blob):<br>
     H4sICACa02gAA3JlcHJvAGNgGAWjYBSMVPDo4dcHvU4WITpANg+DCgM7VPwFM0INE5L6OzNL<br>
     tafaus7ZdHvpkTy+2l3o5rGjCxAAIGsOODIzlDD8/v//P0gEQsKACphkZAG5QgUqFgpka0LZ<br>
     4QyMDKpQdgJQPAzKTgWKR0LZWUjsfE4oIydVLzk/JyUtMyfVAEQYgggjEGGMbD/QYoa3jYwM<br>
     KUCaA+y6//8ZkeSLK6uyE3NyUovQGaz/YfZgSJHKwBd+YPc5MjHYQvkg94HiK6KjuRHE14OK<br>
     GyCFnyGQbQhlGwPDJhjKtgDGnp6eHiJIkPwvxYIwHylpoPmfiQq+RWcwk69dUJcG7hllDHUG<br>
     I7oIKEPDRcTe7jqNqesp5bYzYs0ydGCACy4gwJC6xEWZyWxQH2FVgyifQKW3OlL5xMLAAi8/<br>
     9EtyC/SBGnQzcxPTU9NT84yMjM0MTAwMTI30wQURhMQo9/7Ayz8OcPnEhWQ+K46yko2RjaEi<br>
     saSkyLCCgQFIwvlGEBKpxA3elv8GrIcJXP4xMWgoQ8wARSLY2zgqOkYoZgLTIJYGM3aVo2AU<br>
     jIJRMLAAABdVKPsAEAAA<br>
<br>
<br>
Thanks,<br>
Gao Xiang<br>
</blockquote></div>