Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

archive/tar: slice bounds out of range (2) #10960

Closed
dvyukov opened this issue May 26, 2015 · 4 comments
Closed

archive/tar: slice bounds out of range (2) #10960

dvyukov opened this issue May 26, 2015 · 4 comments

Comments

@dvyukov
Copy link
Member

dvyukov commented May 26, 2015

The following program crashes with a panic:

package main

import (
    "archive/tar"
    "bytes"
    "io"
    "io/ioutil"
)

func main() {
    data := []byte("\x13\x0300\x13\x03-821950296t\x13\x13\x83" +
        "s|\x83s\x1300qw\xe1f\xbb\x03000\x00\x00\x00\x10" +
        "011\x13s\xf410100t\x13\x13\x83s|\x83ss" +
        "\x000\x13s|\x83ss\xf4xS\x13s\xf410100t" +
        "\x13\x13\x83s|\x83ss\xf40\x13s|\x83ss\xf4qS0" +
        "\xd4t0\x1300q0\xf40\x00\x00\x00\x1001\x80\x00\x100" +
        "11\x13s\xf4101\xf40t\x1300q\xd4\xe1f\xbb\x03" +
        "\x00\x00\x00\xff\x80\x80\x80\x00\x80\x00\x00\x00\x00\x00\x9b\x92x\x13\xff\xff" +
        "\xff\x80100txS00t0\x1300qw010" +
        "100t\x13\x13\x83s|\x83ss\xf4xS00t0\x13" +
        "00qw\xe1f\xbb\x03000\x00\x00\x00\x10011\x13s" +
        "\xf410100t\x13\x13\x83s|\x83ss\xf40\x13s|" +
        "\x83ss\xf4xS\x13s\xf410100t\x13\x13\x83s|" +
        "\x83ss00\x13s|\x83ss\xf4xS00t0\x130" +
        "0q00\x00\x80\x00\x00\x1001s\xf410100t\x13" +
        "\x00\x00\x00 \xe1f\xbb\x0304\x00\x00\x00\x10011\x13\xff\xff" +
        "\xff\x80100txS00t0\x1300qw\xe1f\xbb" +
        "\x03000\x00\x00\x00\x10011\x13s\x83ss\xf4xS\x13" +
        "s\xf410100t\x13\x13\x83s|\x83ss\xf4311" +
        "033624846128380s|\x83ss" +
        "\xf41S00t0\x1300q000\x00\x00\x00\x1001" +
        "\x00\x00\x10011\x13s\xf410100t\x1300q\xd4" +
        "\xe1f\xbb\x0304\x00\x00\x00\x10\x83s|\x83ss\xf40\x13s" +
        "|\x83ss0xS00t0\x1300q000\x00\x00" +
        "\x00\x1001\x00\x00\x10011\x13s\xf410100t\x13" +
        "00x0\xe1f\xbb\x03\x00\x00\x100")
    t := tar.NewReader(bytes.NewReader(data))
    for {
        _, err := t.Next()
        if err != nil {
            return
        }
        io.Copy(ioutil.Discard, t)
    }
}
panic: runtime error: slice bounds out of range [recovered]
    panic: runtime error: slice bounds out of range

goroutine 1 [running]:
io/ioutil.readAll.func1(0xc208041c58)
    src/io/ioutil/ioutil.go:30 +0x121
archive/tar.(*regFileReader).Read(0xc20800e420, 0xc20806e400, 0x200, 0x200, 0xc208070139, 0x0, 0x0)
    src/archive/tar/reader.go:748 +0x170
archive/tar.(*Reader).Read(0xc208070000, 0xc20806e400, 0x200, 0x200, 0x200, 0x0, 0x0)
    src/archive/tar/reader.go:735 +0x9d
bytes.(*Buffer).ReadFrom(0xc208041bb0, 0x7f7a1683f268, 0xc208070000, 0x0, 0x0, 0x0)
    src/bytes/buffer.go:173 +0x242
io/ioutil.readAll(0x7f7a1683f268, 0xc208070000, 0x200, 0x0, 0x0, 0x0, 0x0, 0x0)
    src/io/ioutil/ioutil.go:33 +0x157
io/ioutil.ReadAll(0x7f7a1683f268, 0xc208070000, 0x0, 0x0, 0x0, 0x0, 0x0)
    src/io/ioutil/ioutil.go:42 +0x58
archive/tar.parsePAX(0x7f7a1683f268, 0xc208070000, 0x5edc78, 0x0, 0x0)
    src/archive/tar/reader.go:314 +0x55
archive/tar.(*Reader).Next(0xc208070000, 0xc208070000, 0x0, 0x0)
    src/archive/tar/reader.go:106 +0x4a2
main.main()
    tar.go:39 +0x170

on commit 8017ace

@dvyukov dvyukov added this to the Go1.5 milestone May 26, 2015
@dvyukov
Copy link
Member Author

dvyukov commented May 26, 2015

Here is another input:

    "\x13\x0380\x13\x03-821950296t\x13\x13\x83" +
    "s|\x83s\x1300qw\xe1f\xbb\x03000\x00\x00\x00\x10" +
    "011\x13s\xf410100t\x13\x13\x83s|\x83ss" +
    "\x000\x13s|\x83ss\xf4xS\x13s\xf410100t" +
    "\x13\x13\x83s|\x83ss\xf40\x13s|\x83ss\xf4qS0" +
    "\xd4t0\x1300q0\xf40\x00\x00\x00\x1001\x80\x00\x100" +
    "11\x13s\xf4101\xbb0t\x1300q\xd4\xe1f\xbb\x03" +
    "\x00\x00\x00\xff\x80\x80\x80\x00\x80\x00\x00\x00\x00\x00\x9b\x92K\x13\xff\xff" +
    "\xff\x80100txS00t0\x1300qw010" +
    "100t\x13\x13\x83s|\x83ss\xf4xS00t0\x13" +
    "00qw\xe1f\xbb\x03000\x00\x00\x00\x10011\x13s" +
    "\xf410100t\x13\x13\x83s|\x83ss\xf40\x13s|" +
    "\x83ss\xf4xS\x13s\xf4101\x00\x10t\x13\x13\x83s|" +
    "\x83ss00\x13s|\x83ss\xf4x\u007f\x10\x01\x00100" +
    "t0\x1300q00\x00\x80\x00\x00\x1001s\xf4101" +
    "00t\x13\x00\x00\x00 \xe1f0\x0304\x00\x00\x00\x1001" +
    "1\x13\xff\xff\xff\x80100txS00t0\x1300q" +
    "w\xe1f\xbb\x03000\x00\x00\x00\x10011\x13s\x83ss" +
    "\xf4xS\x13s\xf410100t\x13\x13\x83s|\x83ss" +
    "\xf4311033624846128380s" +
    "|\x83ss\xf4xS00t0\x1300q000\x00\x00" +
    "\x00\x1001\x00\x00\x10011\x13s\xf410100t\x13" +
    "00q\xd4\xe1f\xbb\x0304\x00\x00\x00\x10\x83s|\x83ss" +
    "\xf40\x13s|\x83ss\xf4xS00t0\x1300q0" +
    "00\x00\x00\x00\x1001\x00\x00\x10011\x13s\xf4101" +
    "00t\x1300x0\xe1f\xbb\x03"

It is probably the same bug, but it leads to slightly different stack trace, so please test separately:

panic: runtime error: slice bounds out of range [recovered]
    panic: runtime error: slice bounds out of range

goroutine 1 [running]:
io/ioutil.readAll.func1(0xc208041da0)
    src/io/ioutil/ioutil.go:30 +0x121
archive/tar.(*regFileReader).Read(0xc20800e420, 0xc20806e400, 0x200, 0x200, 0x184, 0x0, 0x0)
    src/archive/tar/reader.go:748 +0x170
archive/tar.(*Reader).Read(0xc208070000, 0xc20806e400, 0x200, 0x200, 0x200, 0x0, 0x0)
    src/archive/tar/reader.go:735 +0x9d
bytes.(*Buffer).ReadFrom(0xc208041cf8, 0x7fe5698dc268, 0xc208070000, 0x0, 0x0, 0x0)
    src/bytes/buffer.go:173 +0x242
io/ioutil.readAll(0x7fe5698dc268, 0xc208070000, 0x200, 0x0, 0x0, 0x0, 0x0, 0x0)
    src/io/ioutil/ioutil.go:33 +0x157
io/ioutil.ReadAll(0x7fe5698dc268, 0xc208070000, 0x0, 0x0, 0x0, 0x0, 0x0)
    src/io/ioutil/ioutil.go:42 +0x58
archive/tar.(*Reader).Next(0xc208070000, 0xc208070000, 0x0, 0x0)
    src/archive/tar/reader.go:139 +0x131
main.main()
    tar.go:39 +0x170

@dsymonds
Copy link
Contributor

Yeah, probably very similar to #10959.

@dsymonds dsymonds removed their assignment May 27, 2015
@dsymonds dsymonds modified the milestones: Go1.5Maybe, Go1.5 May 27, 2015
@osocurioso
Copy link
Contributor

This is a duplicate of #10959, both are due to negative file sizes in the header. Sent fix in CL 10402.

@gopherbot
Copy link
Contributor

CL https://golang.org/cl/10402 mentions this issue.

@mikioh mikioh modified the milestones: Go1.5, Go1.5Maybe May 28, 2015
@golang golang locked and limited conversation to collaborators Jun 25, 2016
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

No branches or pull requests

5 participants