src/archive/tar/common.go      | 1 +
 src/archive/tar/reader.go      | 9 +++++++--
 src/archive/tar/reader_test.go | 5 +++++

diff --git a/src/archive/tar/common.go b/src/archive/tar/common.go
index 7b3945ff153144b6ef81c83696a3dbba7b57d6ca..ad31bbb64aaa5c631504aa1037d456fade5dff77 100644
--- a/src/archive/tar/common.go
+++ b/src/archive/tar/common.go
@@ -39,6 +39,7 @@ 	ErrInsecurePath    = errors.New("archive/tar: insecure file path")
 	errMissData        = errors.New("archive/tar: sparse file references non-existent data")
 	errUnrefData       = errors.New("archive/tar: sparse file contains unreferenced data")
 	errWriteHole       = errors.New("archive/tar: write non-NUL byte in sparse hole")
+	errSparseTooLong   = errors.New("archive/tar: sparse map too long")
 )
 
 type headerError []string
diff --git a/src/archive/tar/reader.go b/src/archive/tar/reader.go
index 8483fb52a28f66c0bc7f169910785e443f533e23..16ac2f5b17c28b4ec4214bd7ba8be2c2634a333a 100644
--- a/src/archive/tar/reader.go
+++ b/src/archive/tar/reader.go
@@ -531,12 +531,17 @@ 	var (
 		cntNewline int64
 		buf        bytes.Buffer
 		blk        block
+		totalSize  int
 	)
 
 	// feedTokens copies data in blocks from r into buf until there are
 	// at least cnt newlines in buf. It will not read more blocks than needed.
 	feedTokens := func(n int64) error {
 		for cntNewline < n {
+			totalSize += len(blk)
+			if totalSize > maxSpecialFileSize {
+				return errSparseTooLong
+			}
 			if _, err := mustReadFull(r, blk[:]); err != nil {
 				return err
 			}
@@ -569,8 +574,8 @@ 		return nil, ErrHeader
 	}
 
 	// Parse for all member entries.
-	// numEntries is trusted after this since a potential attacker must have
-	// committed resources proportional to what this library used.
+	// numEntries is trusted after this since feedTokens limits the number of
+	// tokens based on maxSpecialFileSize.
 	if err := feedTokens(2 * numEntries); err != nil {
 		return nil, err
 	}
diff --git a/src/archive/tar/reader_test.go b/src/archive/tar/reader_test.go
index 99340a3047191432f002edf79f833bf23a80a6da..fca53dae741bd51c2e2f7b5b5cfb54335a38f0dc 100644
--- a/src/archive/tar/reader_test.go
+++ b/src/archive/tar/reader_test.go
@@ -621,6 +621,11 @@ 				"path": strings.Repeat("123456789/", 30),
 			},
 			Format: FormatPAX,
 		}},
+	}, {
+		// Small compressed file that uncompresses to
+		// a file with a very large GNU 1.0 sparse map.
+		file: "testdata/gnu-sparse-many-zeros.tar.bz2",
+		err:  errSparseTooLong,
 	}}
 
 	for _, v := range vectors {
diff --git a/src/archive/tar/testdata/gnu-sparse-many-zeros.tar.bz2 b/src/archive/tar/testdata/gnu-sparse-many-zeros.tar.bz2
new file mode 100644
index 0000000000000000000000000000000000000000..751d7fd4b68be1a7439413b4089dbbde33a2900a
Binary files /dev/null and b/src/archive/tar/testdata/gnu-sparse-many-zeros.tar.bz2 differ