hello! I've used the tar crate in a project to modify an archive and noticed the generated archives are invalid in some cases, /usr/bin/tar complains about a truncated archive and after some inspection I noticed the size that gets written appears to be multiplied by 8.
This doesn't seem to be an interoperability issue, calling .size() immediately after calling .set_size(...) also returns a value that's much bigger than what I intended to set.
I hacked together a minimal test case that searches with cargo-fuzz and found one:
#![no_main]
use libfuzzer_sys::fuzz_target;
use anyhow::Result;
use anyhow::Context;
use tar;
fn run_test(data: &[u8]) -> Result<()> {
let mut r = &data[..];
let mut a = tar::Archive::new(&mut r);
let entry = a.entries()?.next().context("")??;
let mut h = entry.header().clone();
h.set_size(1337);
if h.size().context("failed to get size")? != 1337 {
panic!("bugged header");
}
Ok(())
}
fuzz_target!(|data: &[u8]| {
run_test(data).ok();
});
hello! I've used the
tarcrate in a project to modify an archive and noticed the generated archives are invalid in some cases,/usr/bin/tarcomplains about a truncated archive and after some inspection I noticed the size that gets written appears to be multiplied by 8.This doesn't seem to be an interoperability issue, calling
.size()immediately after calling.set_size(...)also returns a value that's much bigger than what I intended to set.I hacked together a minimal test case that searches with cargo-fuzz and found one:
tar
Screenshot
Possibly related to #286, #298