Skip to content

reject tar sparse blocks larger than the entry size#780

Open
kali834x wants to merge 1 commit into
apache:masterfrom
kali834x:tar-sparse-size-bound
Open

reject tar sparse blocks larger than the entry size#780
kali834x wants to merge 1 commit into
apache:masterfrom
kali834x:tar-sparse-size-bound

Conversation

@kali834x

@kali834x kali834x commented Jul 2, 2026

Copy link
Copy Markdown

buildSparseInputStreams in TarArchiveInputStream and TarFile size the non-hole sub-streams from each sparse header's numbytes, and the only geometry guard, getOrderedSparseHeaders, bounds offset+numbytes against the logical realSize rather than the entry's stored size. a crafted gnu/pax sparse entry can set a small header size but a sparse map whose numbytes sum is much larger (realsize == numbytes so the existing realSize check passes), and reading that entry then pulls bytes belonging to the following entries. this accumulates the physical block bytes while building the streams and fails with an ArchiveException once they exceed currEntry.getSize(). the sum equals the entry size for every valid sparse variant (old gnu, pax 0.x, star), with slack only for the pax 1.x in-data map, so no valid archive is rejected. the added SparseFilesTest case reads a 4-byte entry whose map claims a 1 MiB block and now throws for both readers instead of over-reading into the next entry.

  • Read the contribution guidelines for this project.
  • Read the ASF Generative Tooling Guidance if you use Artificial Intelligence (AI).
  • I used AI to create any part of, or all of, this pull request. Which AI tool was used to create this pull request, and to what extent did it contribute?
  • Run a successful build using the default Maven goal with mvn; that's mvn on the command line by itself.
  • Write unit tests that match behavioral changes, where the tests fail if the changes to the runtime are not applied. This may not always be possible, but it is a best practice.
  • Write a pull request description that is detailed enough to understand what the pull request does, how, and why.
  • Each commit in the pull request should have a meaningful subject line and body. Note that a maintainer may squash commits during the merge process.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant