From 9f7cfb13948cdc45b0cc9d45061210b78708761d Mon Sep 17 00:00:00 2001
From: Tim Ledbetter <timledbetter@gmail.com>
Date: Mon, 2 Oct 2023 20:24:14 +0100
Subject: [PATCH] LibArchive: Ensure tar extended header length is within
 expected range

---
 Userland/Libraries/LibArchive/TarStream.h | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/Userland/Libraries/LibArchive/TarStream.h b/Userland/Libraries/LibArchive/TarStream.h
index 71bbaf1277..21696e4ab2 100644
--- a/Userland/Libraries/LibArchive/TarStream.h
+++ b/Userland/Libraries/LibArchive/TarStream.h
@@ -93,11 +93,18 @@ inline ErrorOr<void> TarInputStream::for_each_extended_header(F func)
         Optional<unsigned int> length = file_contents.substring_view(0, length_end_index.value()).to_uint();
         if (!length.has_value())
             return Error::from_string_literal("Malformed extended header: Could not parse length.");
+
+        if (length_end_index.value() >= length.value())
+            return Error::from_string_literal("Malformed extended header: Header length too short.");
+
         unsigned int remaining_length = length.value();
 
         remaining_length -= length_end_index.value() + 1;
         file_contents = file_contents.substring_view(length_end_index.value() + 1);
 
+        if (file_contents.length() < remaining_length - 1)
+            return Error::from_string_literal("Malformed extended header: Header length too large.");
+
         // Extract the header.
         StringView header = file_contents.substring_view(0, remaining_length - 1);
         file_contents = file_contents.substring_view(remaining_length - 1);