Guard against negative offset/length values in tarfile's GNU sparse extraction

[VbhvGupta]

Bug report

Bug description:

for i in range(21):
    try:
        offset = nti(buf[pos:pos + 12])
        numbytes = nti(buf[pos + 12:pos + 24])
    except ValueError:
        break
    if offset and numbytes:
        structs.append((offset, numbytes))
    pos += 24

cpython/Lib/tarfile.py

Line 1441 in 7040aa5

if offset and numbytes:

• There is no check that offset or numbytes are non-negative.
• The check if offset and numbytes: only skips zero, not negative numbers.

validation should be added:

if offset >= 0 and numbytes >= 0:
    structs.append((offset, numbytes))

• This will prevent the addition of invalid sparse mappings, mitigating the risk.

CPython versions tested on:

3.13

Operating systems tested on:

Windows

Linked PRs

• gh-137396: Raise InvalidHeaderError when offset or numbytes is negative #137805

[picnixz]

Actually, I forgot about it but I think there is a similar check we now do: 7040aa5. I didn't check if this validates the structs, though so maybe extra validation is needed here (more generally, I'm not sure whether we should really stop if we encounter a ValueError rather than raising indicating a bad GNU sparse header).

cc @gpshead (maybe we should recategorize it as a security issue)

[VbhvGupta]

Thank you for analysis @picnixz

I agree that while the check in 7040aa5 is related, the explicit validation for negative values still seems necessary to be completely safe.

I agree, raising an exception to indicate a bad header would be much more robust than the current behavior.

Thank you for suggesting it be recategorized as a security issue. That was my primary concern, and I appreciate you escalating it.

[moreal]

@corona10 Could you assign me on this issue?