From f008e576829d35b643a901af2a5cecc8780033f4 Mon Sep 17 00:00:00 2001
From: Daniel Axtens <dja@axtens.net>
Date: Wed, 2 Jan 2019 16:14:01 +1100
Subject: [PATCH] (v1.30) Fix null dereference in pax_decode_header

pax_decode_header does not consider that find_next_block can return
zero/NULL to represent EOF. This leads to a null pointer dereference
when handling certain malicious archives.

* src/sparse.c: Add check against result of find_next_block.
---
 src/sparse.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/src/sparse.c b/src/sparse.c
index d41c0eacd1f3..68a087714260 100644
--- a/src/sparse.c
+++ b/src/sparse.c
@@ -1243,6 +1243,14 @@ pax_decode_header (struct tar_sparse_file *file)
       set_next_block_after (current_header);
       file->dumped_size += BLOCKSIZE;
       blk = find_next_block ();
+
+      if (!blk)
+	{
+	  ERROR ((0, 0, _("%s: malformed sparse archive member"),
+		  file->stat_info->orig_file_name));
+	  return false;
+	}
+
       p = blk->buffer;
       COPY_BUF (blk,nbuf,p);
       if (!decode_num (&u, nbuf, TYPE_MAXIMUM (size_t)))
-- 
2.17.1