[PATCH 1/2] erofs-utils: tar: fix out-of-bounds access when trimming pax path

[Gao Xiang]

Hi,

On 2026/4/14 22:13, Zhan Xusheng wrote:
> When a PAX extended header contains a path consisting entirely of '/'
> characters (e.g., "path=/"), the trailing-slash trimming loop in
> tarerofs_parse_pax_header() decrements j to 0, then accesses
> eh->path[-1] which is an out-of-bounds heap read.
> 
> The tar header path trimming had a similar issue fixed by commit
> dcd06f421003 ("erofs-utils: mkfs: tar: fix SIGSEGV on `/` entry"),
> but the PAX header path trimming was not addressed.
> 
> Add a j > 0 guard to the while condition.
> 
> Fixes: 95d315fd7958 ("erofs-utils: introduce tarerofs")
> Signed-off-by: Zhan Xusheng <zhanxusheng at xiaomi.com>

That was addressed by others before: I think I will add
your `Signed-off-by:` into the original patch.

BTW, are you using LLM to discover bugs too?

Thanks,
Gao Xiang

> ---
>   lib/tar.c | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/lib/tar.c b/lib/tar.c
> index eca29f5..3d92f48 100644
> --- a/lib/tar.c
> +++ b/lib/tar.c
> @@ -509,7 +509,7 @@ int tarerofs_parse_pax_header(struct erofs_iostream *ios,
>   				int j = p - 1 - value;
>   				free(eh->path);
>   				eh->path = strdup(value);
> -				while (eh->path[j - 1] == '/')
> +				while (j > 0 && eh->path[j - 1] == '/')
>   					eh->path[--j] = '\0';
>   			} else if (!strncmp(kv, "linkpath=",
>   					sizeof("linkpath=") - 1)) {