[PATCH] erofs-utils: lib/tar: reject negative uid=/gid= values in PAX header

[Utkal Singh]

uid= and gid= values are parsed into a long long and then assigned
to st_uid/st_gid which are unsigned types. A negative PAX value
would silently wrap to a huge number, corrupting inode ownership.

Add the same negative-value guard already present for size= to
both uid= and gid= fields.

Signed-off-by: Utkal Singh <singhutkal015 at gmail.com>
---
 lib/tar.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/lib/tar.c b/lib/tar.c
index 6fa2cda..13e777a 100644
--- a/lib/tar.c
+++ b/lib/tar.c
@@ -559,6 +559,11 @@ int tarerofs_parse_pax_header(struct erofs_iostream *ios,
 					ret = -EIO;
 					goto out;
 				}
+				if (lln < 0) {
+					erofs_err("invalid negative uid= in PAX header");
+					ret = -EINVAL;
+					goto out;
+				}
 				eh->st.st_uid = lln;
 				eh->use_uid = true;
 			} else if (!strncmp(kv, "gid=", sizeof("gid=") - 1)) {
@@ -567,6 +572,11 @@ int tarerofs_parse_pax_header(struct erofs_iostream *ios,
 					ret = -EIO;
 					goto out;
 				}
+				if (lln < 0) {
+					erofs_err("invalid negative gid= in PAX header");
+					ret = -EINVAL;
+					goto out;
+				}
 				eh->st.st_gid = lln;
 				eh->use_gid = true;
 			} else if (!strncmp(kv, "SCHILY.xattr.",
-- 
2.43.0