archive/zip: cap out of range
dvyukov opened this issue · comments
The following program crashes with a panic:
package main
import (
"archive/zip"
"bytes"
"io"
"io/ioutil"
)
func main() {
data := []byte("PK\x06\x06PK\x06\a0000\x00\x00\x00\x00\x00\x00\x00\x00" +
"0000PK\x05\x06000000000000" +
"0000\v\x00000\x00\x00\x00\x00\x00\x00\x000")
z, err := zip.NewReader(bytes.NewReader(data), int64(len(data)))
if err != nil {
if z != nil {
panic("non nil z")
}
return
}
for _, f := range z.File {
r, err := f.Open()
if err != nil {
continue
}
if f.UncompressedSize64 < 1e6 {
n, err := io.Copy(ioutil.Discard, r)
if err == nil && uint64(n) != f.UncompressedSize64 {
println("bad size:", n, f.UncompressedSize64)
panic("bad size")
}
}
r.Close()
}
}panic: runtime error: makeslice: cap out of range
goroutine 1 [running]:
archive/zip.(*Reader).init(0xc2080104c0, 0x7fbacc72d1e8, 0xc208014450, 0x39, 0x0, 0x0)
src/archive/zip/reader.go:81 +0xf7
archive/zip.NewReader(0x7fbacc72d1e8, 0xc208014450, 0x39, 0x7fbacc72d1e8, 0x0, 0x0)
src/archive/zip/reader.go:69 +0x67
main.main()
zip.go:14 +0x131
This vulnerability makes it dangerous to open any untrusted zip files. I think that the code must check that the provided data size is large enough to contain the claimed number of files. For example, if the header claims to contains 1e9 files, then data size should be at least dozens of gigs (which should be caught by e.g. HTTP content cap).
on commit 8017ace
CL https://golang.org/cl/10421 mentions this issue.