[PATCH 1/2] erofs-utils: tar: fix out-of-bounds access when trimming pax path
Zhan Xusheng
zhanxusheng1024 at gmail.com
Wed Apr 15 00:13:12 AEST 2026
When a PAX extended header contains a path consisting entirely of '/'
characters (e.g., "path=/"), the trailing-slash trimming loop in
tarerofs_parse_pax_header() decrements j to 0, then accesses
eh->path[-1] which is an out-of-bounds heap read.
The tar header path trimming had a similar issue fixed by commit
dcd06f421003 ("erofs-utils: mkfs: tar: fix SIGSEGV on `/` entry"),
but the PAX header path trimming was not addressed.
Add a j > 0 guard to the while condition.
Fixes: 95d315fd7958 ("erofs-utils: introduce tarerofs")
Signed-off-by: Zhan Xusheng <zhanxusheng at xiaomi.com>
---
lib/tar.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/tar.c b/lib/tar.c
index eca29f5..3d92f48 100644
--- a/lib/tar.c
+++ b/lib/tar.c
@@ -509,7 +509,7 @@ int tarerofs_parse_pax_header(struct erofs_iostream *ios,
int j = p - 1 - value;
free(eh->path);
eh->path = strdup(value);
- while (eh->path[j - 1] == '/')
+ while (j > 0 && eh->path[j - 1] == '/')
eh->path[--j] = '\0';
} else if (!strncmp(kv, "linkpath=",
sizeof("linkpath=") - 1)) {
--
2.43.0
More information about the Linux-erofs
mailing list