[PATCH v3 1/2] erofs-utils: lib/tar: skip PAX entries with empty path
Gao Xiang
hsiangkao at linux.alibaba.com
Mon Mar 16 19:04:19 AEDT 2026
On 2026/3/16 15:58, Utkal Singh wrote:
> When a PAX extended header contains 'path=' with an empty value,
> the computed length becomes zero. The subsequent trailing-slash
> removal loop accesses eh->path[j - 1] where j is zero, resulting
> in an out-of-bounds read and undefined behavior.
>
> Skip such entries to avoid unsafe pointer arithmetic and invalid
> filename handling.
I don't see a reproduciable way here.
>
> Signed-off-by: Utkal Singh <singhutkal015 at gmail.com>
> ---
> lib/tar.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/lib/tar.c b/lib/tar.c
> index 26461f8..be86984 100644
> --- a/lib/tar.c
> +++ b/lib/tar.c
> @@ -510,6 +510,8 @@ int tarerofs_parse_pax_header(struct erofs_iostream *ios,
>
> if (!strncmp(kv, "path=", sizeof("path=") - 1)) {
> int j = p - 1 - value;
> + if (!j)
> + continue;
> free(eh->path);
> eh->path = strdup(value);
> while (eh->path[j - 1] == '/')
More information about the Linux-erofs
mailing list