[PATCH 2/2] erofs-utils: lib/tar: reject negative size= value in PAX header
Utkal Singh
singhutkal015 at gmail.com
Mon Mar 16 17:14:35 AEDT 2026
The PAX extended header size= field is parsed into a signed long
long but no check is made for negative values before assigning to
eh->st.st_size. A crafted PAX header with size=-1 passes the
existing format check, resulting in a negative file size that can
cause incorrect memory allocation and heap corruption in subsequent
read or seek operations.
Add an explicit check to reject negative size= values with -EINVAL.
Signed-off-by: Utkal Singh <singhutkal015 at gmail.com>
---
lib/tar.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/lib/tar.c b/lib/tar.c
index be86984..cbe62be 100644
--- a/lib/tar.c
+++ b/lib/tar.c
@@ -546,6 +546,11 @@ int tarerofs_parse_pax_header(struct erofs_iostream *ios,
ret = -EIO;
goto out;
}
+ if (lln < 0) {
+ erofs_err("invalid negative size= in PAX header");
+ ret = -EINVAL;
+ goto out;
+ }
eh->st.st_size = lln;
eh->use_size = true;
} else if (!strncmp(kv, "uid=", sizeof("uid=") - 1)) {
--
2.43.0
More information about the Linux-erofs
mailing list