[PATCH v3 1/2] erofs-utils: lib/tar: skip PAX entries with empty path
Utkal Singh
singhutkal015 at gmail.com
Mon Mar 16 19:21:33 AEDT 2026
On 2026/3/16, Gao Xiang wrote:
> I don't see a reproducible way here.
Here is a compressed reproducer for the empty path= issue:
Reproducible image (base64-encoded gzipped blob):
H4sIAIa8t2kC/9PTD0is8EhNTEktKtYvSS0uYaA+MAACMxMTMA0E6LSBgaEhgg0WNzcHCilUMIwC
WgNDA4WCxJIMW67RoBgFo2AUjIIRBQDO+4lFAAgAAA==
Thanks,
Utkal Singh
On Mon, 16 Mar 2026 at 13:34, Gao Xiang <hsiangkao at linux.alibaba.com> wrote:
>
>
> On 2026/3/16 15:58, Utkal Singh wrote:
> > When a PAX extended header contains 'path=' with an empty value,
> > the computed length becomes zero. The subsequent trailing-slash
> > removal loop accesses eh->path[j - 1] where j is zero, resulting
> > in an out-of-bounds read and undefined behavior.
> >
> > Skip such entries to avoid unsafe pointer arithmetic and invalid
> > filename handling.
>
> I don't see a reproduciable way here.
>
> >
> > Signed-off-by: Utkal Singh <singhutkal015 at gmail.com>
> > ---
> > lib/tar.c | 2 ++
> > 1 file changed, 2 insertions(+)
> >
> > diff --git a/lib/tar.c b/lib/tar.c
> > index 26461f8..be86984 100644
> > --- a/lib/tar.c
> > +++ b/lib/tar.c
> > @@ -510,6 +510,8 @@ int tarerofs_parse_pax_header(struct erofs_iostream
> *ios,
> >
> > if (!strncmp(kv, "path=", sizeof("path=") - 1)) {
> > int j = p - 1 - value;
> > + if (!j)
> > + continue;
> > free(eh->path);
> > eh->path = strdup(value);
> > while (eh->path[j - 1] == '/')
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ozlabs.org/pipermail/linux-erofs/attachments/20260316/ad5677a6/attachment.htm>
More information about the Linux-erofs
mailing list