From c6d289ab9e604369c25ed2c766842318f74e9256 Mon Sep 17 00:00:00 2001
From: David Oberhollenzer <david.oberhollenzer@sigma-star.at>
Date: Thu, 3 Sep 2020 17:51:06 +0200
Subject: Fix integer bounds checking in GNU tar sparse format 1.0 parser

 - Make sure the file actually has that many records before trying
   to read one and fail if not.
 - Use the helper macros for size_t overflow checking instead of
   assuming size_t == uint64_t.
 - Impose a "reasonable" upper bound on the number of data segments
   and insist that there is at least one entry.

Signed-off-by: David Oberhollenzer <david.oberhollenzer@sigma-star.at>
---
 lib/tar/internal.h            |  1 +
 lib/tar/read_sparse_map_new.c | 14 ++++++++++++--
 2 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/lib/tar/internal.h b/lib/tar/internal.h
index 65e5d45..bea863d 100644
--- a/lib/tar/internal.h
+++ b/lib/tar/internal.h
@@ -42,6 +42,7 @@ enum {
 #define TAR_MAX_SYMLINK_LEN (65536)
 #define TAR_MAX_PATH_LEN (65536)
 #define TAR_MAX_PAX_LEN (65536)
+#define TAR_MAX_SPARSE_ENT (65536)
 
 
 int read_octal(const char *str, int digits, sqfs_u64 *out);
diff --git a/lib/tar/read_sparse_map_new.c b/lib/tar/read_sparse_map_new.c
index 246f8a5..f4f0f92 100644
--- a/lib/tar/read_sparse_map_new.c
+++ b/lib/tar/read_sparse_map_new.c
@@ -15,9 +15,10 @@ static int decode(const char *str, size_t len, size_t *out)
 	*out = 0;
 
 	while (count < len && isdigit(*str)) {
-		if (*out > 0xFFFFFFFFFFFFFFFFUL / 10)
+		if (SZ_MUL_OV(*out, 10, out))
+			return -1;
+		if (SZ_ADD_OV(*out, (*(str++) - '0'), out))
 			return -1;
-		*out = (*out) * 10 + (*(str++) - '0');
 		++count;
 	}
 
@@ -34,6 +35,9 @@ sparse_map_t *read_gnu_new_sparse(FILE *fp, tar_header_decoded_t *out)
 	char buffer[1024];
 	int diff, ret;
 
+	if (out->record_size < 512)
+		goto fail_format;
+
 	if (read_retry("reading GNU sparse map", fp, buffer, 512))
 		return NULL;
 
@@ -43,6 +47,9 @@ sparse_map_t *read_gnu_new_sparse(FILE *fp, tar_header_decoded_t *out)
 
 	out->record_size -= 512;
 
+	if (count == 0 || count > TAR_MAX_SPARSE_ENT)
+		goto fail_format;
+
 	for (i = 0; i < (count * 2); ++i) {
 		ret = decode(buffer + diff, 512 - diff, &value);
 		if (ret < 0)
@@ -51,6 +58,9 @@ sparse_map_t *read_gnu_new_sparse(FILE *fp, tar_header_decoded_t *out)
 		if (ret > 0) {
 			diff += ret;
 		} else {
+			if (out->record_size < 512)
+				goto fail_format;
+
 			if (read_retry("reading GNU sparse map", fp,
 				       buffer + 512, 512)) {
 				return NULL;
-- 
cgit v1.2.3