Skip to content

Guard against negative offset/length values in tarfile's GNU sparse extraction #137396

New issue
New issue
Open
Open
Guard against negative offset/length values in tarfile's GNU sparse extraction#137396
Labels
stdlibPython modules in the Lib dirtype-bugAn unexpected behavior, bug, or error
@VbhvGupta

Description

@VbhvGupta
VbhvGupta
opened on Aug 4, 2025

Bug report

Bug description:

for i in range(21):
    try:
        offset = nti(buf[pos:pos + 12])
        numbytes = nti(buf[pos + 12:pos + 24])
    except ValueError:
        break
    if offset and numbytes:
        structs.append((offset, numbytes))
    pos += 24

cpython/Lib/tarfile.py

Line 1441 in 7040aa5

if offset and numbytes:

  • There is no check that offset or numbytes are non-negative.
  • The check if offset and numbytes: only skips zero, not negative numbers.

validation should be added:

if offset >= 0 and numbytes >= 0:
    structs.append((offset, numbytes))
  • This will prevent the addition of invalid sparse mappings, mitigating the risk.

CPython versions tested on:

3.13

Operating systems tested on:

Windows

Metadata

Metadata

Assignees

No one assigned

    Labels

    stdlibPython modules in the Lib dirtype-bugAn unexpected behavior, bug, or error

    Projects

    Tarfile issues

    Status

    No status

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions