libarchive 3.3.2 allows remote attackers to cause a denial of service (xmldata heap-based buffer over-read and application crash) via a crafted xar archive, related to the mishandling of empty strings in the atol8 function in archivereadsupportformat_xar.c.