Add defense-in-depth fixes for archive and file format parsing

Co-authored-by: jgarzik <494411+jgarzik@users.noreply.github.com>

Author: Copilot

pax/formats/cpio.rs

@@ -272,7 +272,12 @@ fn parse_header<R: Read>(header: &[u8; HEADER_SIZE], reader: &mut R) -> PaxResul
 fn parse_octal_field(bytes: &[u8]) -> PaxResult<u64> {
     let s = std::str::from_utf8(bytes)
         .map_err(|_| PaxError::InvalidHeader("invalid octal field".to_string()))?;
-    u64::from_str_radix(s.trim(), 8)
+    let s = s.trim();
+    // Reject if the octal string contains a sign
+    if s.starts_with('+') || s.starts_with('-') {
+        return Err(PaxError::InvalidHeader(format!("invalid octal: {}", s)));
+    }
+    u64::from_str_radix(s, 8)
         .map_err(|_| PaxError::InvalidHeader(format!("invalid octal: {}", s)))
 }
 

pax/formats/pax.rs

@@ -837,6 +837,10 @@ fn parse_octal(bytes: &[u8]) -> PaxResult<u64> {
     if s.is_empty() {
         return Ok(0);
     }
+    // Reject if the octal string contains a sign
+    if s.starts_with('+') || s.starts_with('-') {
+        return Err(PaxError::InvalidHeader(format!("invalid octal: {}", s)));
+    }
     u64::from_str_radix(&s, 8).map_err(|_| PaxError::InvalidHeader(format!("invalid octal: {}", s)))
 }
 

pax/formats/ustar.rs

@@ -273,6 +273,10 @@ fn parse_octal(bytes: &[u8]) -> PaxResult<u64> {
     if s.is_empty() {
         return Ok(0);
     }
+    // Reject if the octal string contains a sign
+    if s.starts_with('+') || s.starts_with('-') {
+        return Err(PaxError::InvalidHeader(format!("invalid octal: {}", s)));
+    }
     u64::from_str_radix(&s, 8).map_err(|_| PaxError::InvalidHeader(format!("invalid octal: {}", s)))
 }
 

pax/main.rs

@@ -557,6 +557,11 @@ fn is_valid_tar_checksum(buf: &[u8]) -> bool {
         return false;
     }
 
+    // Reject if checksum contains a sign
+    if chksum_str.starts_with('+') || chksum_str.starts_with('-') {
+        return false;
+    }
+
     let stored = match u32::from_str_radix(chksum_str, 8) {
         Ok(v) => v,
         Err(_) => return false,

pax/modes/append.rs

@@ -124,6 +124,11 @@ fn is_valid_tar_checksum(header: &[u8]) -> bool {
         return false;
     }
 
+    // Reject if checksum contains a sign
+    if chksum_str.starts_with('+') || chksum_str.starts_with('-') {
+        return false;
+    }
+
     let stored = match u32::from_str_radix(chksum_str, 8) {
         Ok(v) => v,
         Err(_) => return false,
@@ -214,6 +219,10 @@ fn parse_octal(bytes: &[u8]) -> PaxResult<u64> {
     if s.is_empty() {
         return Ok(0);
     }
+    // Reject if the octal string contains a sign
+    if s.starts_with('+') || s.starts_with('-') {
+        return Err(PaxError::InvalidHeader(format!("invalid octal: {}", s)));
+    }
     u64::from_str_radix(s, 8).map_err(|_| PaxError::InvalidHeader(format!("invalid octal: {}", s)))
 }
 

pax/multivolume.rs

@@ -745,6 +745,10 @@ fn parse_octal(bytes: &[u8]) -> PaxResult<u64> {
     if s.is_empty() {
         return Ok(0);
     }
+    // Reject if the octal string contains a sign
+    if s.starts_with('+') || s.starts_with('-') {
+        return Err(PaxError::InvalidHeader(format!("invalid octal: {}", s)));
+    }
     u64::from_str_radix(s, 8).map_err(|_| PaxError::InvalidHeader(format!("invalid octal: {}", s)))
 }
 

xform/uudecode.rs

@@ -59,7 +59,12 @@ impl Header {
             panic!("Invalid encoding type");
         };
 
-        let lower_perm_bits = u32::from_str_radix(split[1], 8).expect("Invalid permission value");
+        let mode_str = split[1];
+        // Reject if mode contains a sign
+        if mode_str.starts_with('+') || mode_str.starts_with('-') {
+            panic!("Invalid permission value: unexpected sign");
+        }
+        let lower_perm_bits = u32::from_str_radix(mode_str, 8).expect("Invalid permission value");
         let out = PathBuf::from(split[2]);
 
         Self {