archive/tar: fix for CVE-2022-2879

vbatts · vbatts · commit 1c425c4aaac5 · 2025-01-20T10:25:58.000-05:00
Fixes: #76 In a specially crafted tar archive can cause `io.ReadAll()` to overrun the memory. The fix is taken from upstream golang, as this tar-split repo carries an old fork from upstream. Thanks to @tojoos and @bainsy88 for reporting. References: - https://nvd.nist.gov/vuln/detail/cve-2022-2879 - golang/go@0bf7ee9 - https://go-review.googlesource.com/c/go/+/439355/2/src/archive/tar/reader.go#106 Signed-off-by: Vincent Batts <vbatts@hashbangbash.com>
diff --git a/archive/tar/format.go b/archive/tar/format.go
@@ -143,6 +143,10 @@ const (
 	blockSize  = 512 // Size of each block in a tar stream
 	nameSize   = 100 // Max length of the name field in USTAR format
 	prefixSize = 155 // Max length of the prefix field in USTAR format
+
+	// Max length of a special file (PAX header, GNU long name or link).
+	// This matches the limit used by libarchive.
+	maxSpecialFileSize = 1 << 20
 )
 
 // blockPadding computes the number of bytes needed to pad offset up to the
diff --git a/archive/tar/reader.go b/archive/tar/reader.go
@@ -144,7 +144,7 @@ func (tr *Reader) next() (*Header, error) {
 			continue // This is a meta header affecting the next header
 		case TypeGNULongName, TypeGNULongLink:
 			format.mayOnlyBe(FormatGNU)
-			realname, err := io.ReadAll(tr)
+			realname, err := readSpecialFile(tr)
 			if err != nil {
 				return nil, err
 			}
@@ -338,7 +338,7 @@ func mergePAX(hdr *Header, paxHdrs map[string]string) (err error) {
 // parsePAX parses PAX headers.
 // If an extended header (type 'x') is invalid, ErrHeader is returned
 func parsePAX(r io.Reader) (map[string]string, error) {
-	buf, err := io.ReadAll(r)
+	buf, err := readSpecialFile(r)
 	if err != nil {
 		return nil, err
 	}
@@ -889,6 +889,16 @@ func tryReadFull(r io.Reader, b []byte) (n int, err error) {
 	return n, err
 }
 
+// readSpecialFile is like io.ReadAll except it returns
+// ErrFieldTooLong if more than maxSpecialFileSize is read.
+func readSpecialFile(r io.Reader) ([]byte, error) {
+	buf, err := io.ReadAll(io.LimitReader(r, maxSpecialFileSize+1))
+	if len(buf) > maxSpecialFileSize {
+		return nil, ErrFieldTooLong
+	}
+	return buf, err
+}
+
 // discard skips n bytes in r, reporting an error if unable to do so.
 func discard(tr *Reader, n int64) error {
 	var seekSkipped, copySkipped int64
