[PATCH 2/2] erofs-utils: tar: add missing NULL checks for GNU long name/link

[Zhan Xusheng]

In the GNU long name ('L') and long link ('K') handling, malloc()
return values are not checked.  If st.st_size is excessively large
from a crafted tar header, malloc() fails and returns NULL, then
erofs_iostream_bread() writes to a NULL pointer causing a crash.

Also add the missing PATH_MAX bound check for 'L' entries, which
the 'K' path already had.

Fixes: 95d315fd7958 ("erofs-utils: introduce tarerofs")
Signed-off-by: Zhan Xusheng <zhanxusheng at xiaomi.com>
---
 lib/tar.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/lib/tar.c b/lib/tar.c
index 3d92f48..24d8314 100644
--- a/lib/tar.c
+++ b/lib/tar.c
@@ -886,7 +886,8 @@ out_eot:
 	case 'L':
 		free(eh.path);
 		eh.path = malloc(st.st_size + 1);
-		if (st.st_size != erofs_iostream_bread(&tar->ios, eh.path,
+		if (!eh.path || st.st_size > PATH_MAX ||
+		    st.st_size != erofs_iostream_bread(&tar->ios, eh.path,
 						       st.st_size))
 			goto invalid_tar;
 		eh.path[st.st_size] = '\0';
@@ -894,8 +895,9 @@ out_eot:
 	case 'K':
 		free(eh.link);
 		eh.link = malloc(st.st_size + 1);
-		if (st.st_size > PATH_MAX || st.st_size !=
-		    erofs_iostream_bread(&tar->ios, eh.link, st.st_size))
+		if (!eh.link || st.st_size > PATH_MAX ||
+		    st.st_size != erofs_iostream_bread(&tar->ios, eh.link,
+						       st.st_size))
 			goto invalid_tar;
 		eh.link[st.st_size] = '\0';
 		goto restart;
-- 
2.43.0