fix silent integer overflow and truncation of Uid/Gid

[metsw24-max]

This patch cleans up a dangerous integer arithmetic issue in archive/tar/reader.go.

When parsing Uid and Gid from a tar header (both V7/USTAR headers and PAX extended headers), the parser reads the values as int64 but explicitly casts them to a native int (e.g., hdr.Uid = int(id64)).

On 32-bit architectures, this results in a silent integer overflow. An attacker could craft a malicious archive with a Uid of 4294967296 ($2^{32}$). Due to the overflow, this silently truncates to 0. If an extraction tool trusts the Header.Uid field, this leads directly to a Privilege Escalation vulnerability, as the malicious file will be extracted with root (UID 0) ownership instead of the intended user.

To fix this, the patch introduces strict boundary checks (e.g., if int64(int(uid)) != uid). If the 64-bit ID cannot safely fit into a native int without truncation, the parser now fails closed by setting the error to ErrHeader. This eliminates the error-prone pattern of blind casting and prevents the exploitable overflow entirely.

[gopherbot]

This PR (HEAD: 2ab781f) has been imported to Gerrit for code review.

Please visit Gerrit at https://go-review.googlesource.com/c/go/+/773600.

Important tips:

• Don't comment on this PR. All discussion takes place in Gerrit.
• You need a Gmail or other Google account to log in to Gerrit.
• To change your code in response to feedback:
  • Push a new commit to the branch used by your GitHub PR.
  • A new "patch set" will then appear in Gerrit.
  • Respond to each comment by marking as Done in Gerrit if implemented as suggested. You can alternatively write a reply.
  • Critical: you must click the blue Reply button near the top to publish your Gerrit responses.
  • Multiple commits in the PR will be squashed by GerritBot.
• The title and description of the GitHub PR are used to construct the final commit message.
  • Edit these as needed via the GitHub web interface (not via Gerrit or git).
  • You should word wrap the PR description at ~76 characters unless you need longer lines (e.g., for tables or URLs).
• See the Sending a change via GitHub and Reviews sections of the Contribution Guide as well as the FAQ for details.

[gopherbot]

Message from Gopher Robot:

Patch Set 1:

(1 comment)

---

Please don’t reply on this GitHub thread. Visit golang.org/cl/773600.
After addressing review feedback, remember to publish your drafts!