<div dir="ltr">On 2026/3/16, Gao Xiang wrote:<br>> I don't see a reproducible way here.<br><br>Here is a compressed reproducer for the empty path= issue:<br><br>Reproducible image (base64-encoded gzipped blob):<br>H4sIAIa8t2kC/9PTD0is8EhNTEktKtYvSS0uYaA+MAACMxMTMA0E6LSBgaEhgg0WNzcHCilUMIwC<br>WgNDA4WCxJIMW67RoBgFo2AUjIIRBQDO+4lFAAgAAA==<br><br>Thanks,<br>Utkal Singh</div><br><div class="gmail_quote gmail_quote_container"><div dir="ltr" class="gmail_attr">On Mon, 16 Mar 2026 at 13:34, Gao Xiang <<a href="mailto:hsiangkao@linux.alibaba.com">hsiangkao@linux.alibaba.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><br>
<br>
On 2026/3/16 15:58, Utkal Singh wrote:<br>
> When a PAX extended header contains 'path=' with an empty value,<br>
> the computed length becomes zero. The subsequent trailing-slash<br>
> removal loop accesses eh->path[j - 1] where j is zero, resulting<br>
> in an out-of-bounds read and undefined behavior.<br>
> <br>
> Skip such entries to avoid unsafe pointer arithmetic and invalid<br>
> filename handling.<br>
<br>
I don't see a reproduciable way here.<br>
<br>
> <br>
> Signed-off-by: Utkal Singh <<a href="mailto:singhutkal015@gmail.com" target="_blank">singhutkal015@gmail.com</a>><br>
> ---<br>
>   lib/tar.c | 2 ++<br>
>   1 file changed, 2 insertions(+)<br>
> <br>
> diff --git a/lib/tar.c b/lib/tar.c<br>
> index 26461f8..be86984 100644<br>
> --- a/lib/tar.c<br>
> +++ b/lib/tar.c<br>
> @@ -510,6 +510,8 @@ int tarerofs_parse_pax_header(struct erofs_iostream *ios,<br>
>   <br>
>                       if (!strncmp(kv, "path=", sizeof("path=") - 1)) {<br>
>                               int j = p - 1 - value;<br>
> +                             if (!j)<br>
> +                                     continue;<br>
>                               free(eh->path);<br>
>                               eh->path = strdup(value);<br>
>                               while (eh->path[j - 1] == '/')<br>
<br>
</blockquote></div>