archive/tar: slice bounds out of range (2)

Question

archive/tar: slice bounds out of range (2)

dvyukov opened this issue 9 years ago · comments

The following program crashes with a panic:

package main

import (
    "archive/tar"
    "bytes"
    "io"
    "io/ioutil"
)

func main() {
    data := []byte("\x13\x0300\x13\x03-821950296t\x13\x13\x83" +
        "s|\x83s\x1300qw\xe1f\xbb\x03000\x00\x00\x00\x10" +
        "011\x13s\xf410100t\x13\x13\x83s|\x83ss" +
        "\x000\x13s|\x83ss\xf4xS\x13s\xf410100t" +
        "\x13\x13\x83s|\x83ss\xf40\x13s|\x83ss\xf4qS0" +
        "\xd4t0\x1300q0\xf40\x00\x00\x00\x1001\x80\x00\x100" +
        "11\x13s\xf4101\xf40t\x1300q\xd4\xe1f\xbb\x03" +
        "\x00\x00\x00\xff\x80\x80\x80\x00\x80\x00\x00\x00\x00\x00\x9b\x92x\x13\xff\xff" +
        "\xff\x80100txS00t0\x1300qw010" +
        "100t\x13\x13\x83s|\x83ss\xf4xS00t0\x13" +
        "00qw\xe1f\xbb\x03000\x00\x00\x00\x10011\x13s" +
        "\xf410100t\x13\x13\x83s|\x83ss\xf40\x13s|" +
        "\x83ss\xf4xS\x13s\xf410100t\x13\x13\x83s|" +
        "\x83ss00\x13s|\x83ss\xf4xS00t0\x130" +
        "0q00\x00\x80\x00\x00\x1001s\xf410100t\x13" +
        "\x00\x00\x00 \xe1f\xbb\x0304\x00\x00\x00\x10011\x13\xff\xff" +
        "\xff\x80100txS00t0\x1300qw\xe1f\xbb" +
        "\x03000\x00\x00\x00\x10011\x13s\x83ss\xf4xS\x13" +
        "s\xf410100t\x13\x13\x83s|\x83ss\xf4311" +
        "033624846128380s|\x83ss" +
        "\xf41S00t0\x1300q000\x00\x00\x00\x1001" +
        "\x00\x00\x10011\x13s\xf410100t\x1300q\xd4" +
        "\xe1f\xbb\x0304\x00\x00\x00\x10\x83s|\x83ss\xf40\x13s" +
        "|\x83ss0xS00t0\x1300q000\x00\x00" +
        "\x00\x1001\x00\x00\x10011\x13s\xf410100t\x13" +
        "00x0\xe1f\xbb\x03\x00\x00\x100")
    t := tar.NewReader(bytes.NewReader(data))
    for {
        _, err := t.Next()
        if err != nil {
            return
        }
        io.Copy(ioutil.Discard, t)
    }
}

panic: runtime error: slice bounds out of range [recovered]
    panic: runtime error: slice bounds out of range

goroutine 1 [running]:
io/ioutil.readAll.func1(0xc208041c58)
    src/io/ioutil/ioutil.go:30 +0x121
archive/tar.(*regFileReader).Read(0xc20800e420, 0xc20806e400, 0x200, 0x200, 0xc208070139, 0x0, 0x0)
    src/archive/tar/reader.go:748 +0x170
archive/tar.(*Reader).Read(0xc208070000, 0xc20806e400, 0x200, 0x200, 0x200, 0x0, 0x0)
    src/archive/tar/reader.go:735 +0x9d
bytes.(*Buffer).ReadFrom(0xc208041bb0, 0x7f7a1683f268, 0xc208070000, 0x0, 0x0, 0x0)
    src/bytes/buffer.go:173 +0x242
io/ioutil.readAll(0x7f7a1683f268, 0xc208070000, 0x200, 0x0, 0x0, 0x0, 0x0, 0x0)
    src/io/ioutil/ioutil.go:33 +0x157
io/ioutil.ReadAll(0x7f7a1683f268, 0xc208070000, 0x0, 0x0, 0x0, 0x0, 0x0)
    src/io/ioutil/ioutil.go:42 +0x58
archive/tar.parsePAX(0x7f7a1683f268, 0xc208070000, 0x5edc78, 0x0, 0x0)
    src/archive/tar/reader.go:314 +0x55
archive/tar.(*Reader).Next(0xc208070000, 0xc208070000, 0x0, 0x0)
    src/archive/tar/reader.go:106 +0x4a2
main.main()
    tar.go:39 +0x170

on commit 8017ace

Dmitry Vyukov · Answer 1 · Wed May 27 2015 04:29:34 GMT+0800 (China Standard Time)

Here is another input:

    "\x13\x0380\x13\x03-821950296t\x13\x13\x83" +
    "s|\x83s\x1300qw\xe1f\xbb\x03000\x00\x00\x00\x10" +
    "011\x13s\xf410100t\x13\x13\x83s|\x83ss" +
    "\x000\x13s|\x83ss\xf4xS\x13s\xf410100t" +
    "\x13\x13\x83s|\x83ss\xf40\x13s|\x83ss\xf4qS0" +
    "\xd4t0\x1300q0\xf40\x00\x00\x00\x1001\x80\x00\x100" +
    "11\x13s\xf4101\xbb0t\x1300q\xd4\xe1f\xbb\x03" +
    "\x00\x00\x00\xff\x80\x80\x80\x00\x80\x00\x00\x00\x00\x00\x9b\x92K\x13\xff\xff" +
    "\xff\x80100txS00t0\x1300qw010" +
    "100t\x13\x13\x83s|\x83ss\xf4xS00t0\x13" +
    "00qw\xe1f\xbb\x03000\x00\x00\x00\x10011\x13s" +
    "\xf410100t\x13\x13\x83s|\x83ss\xf40\x13s|" +
    "\x83ss\xf4xS\x13s\xf4101\x00\x10t\x13\x13\x83s|" +
    "\x83ss00\x13s|\x83ss\xf4x\u007f\x10\x01\x00100" +
    "t0\x1300q00\x00\x80\x00\x00\x1001s\xf4101" +
    "00t\x13\x00\x00\x00 \xe1f0\x0304\x00\x00\x00\x1001" +
    "1\x13\xff\xff\xff\x80100txS00t0\x1300q" +
    "w\xe1f\xbb\x03000\x00\x00\x00\x10011\x13s\x83ss" +
    "\xf4xS\x13s\xf410100t\x13\x13\x83s|\x83ss" +
    "\xf4311033624846128380s" +
    "|\x83ss\xf4xS00t0\x1300q000\x00\x00" +
    "\x00\x1001\x00\x00\x10011\x13s\xf410100t\x13" +
    "00q\xd4\xe1f\xbb\x0304\x00\x00\x00\x10\x83s|\x83ss" +
    "\xf40\x13s|\x83ss\xf4xS00t0\x1300q0" +
    "00\x00\x00\x00\x1001\x00\x00\x10011\x13s\xf4101" +
    "00t\x1300x0\xe1f\xbb\x03"

It is probably the same bug, but it leads to slightly different stack trace, so please test separately:

panic: runtime error: slice bounds out of range [recovered]
    panic: runtime error: slice bounds out of range

goroutine 1 [running]:
io/ioutil.readAll.func1(0xc208041da0)
    src/io/ioutil/ioutil.go:30 +0x121
archive/tar.(*regFileReader).Read(0xc20800e420, 0xc20806e400, 0x200, 0x200, 0x184, 0x0, 0x0)
    src/archive/tar/reader.go:748 +0x170
archive/tar.(*Reader).Read(0xc208070000, 0xc20806e400, 0x200, 0x200, 0x200, 0x0, 0x0)
    src/archive/tar/reader.go:735 +0x9d
bytes.(*Buffer).ReadFrom(0xc208041cf8, 0x7fe5698dc268, 0xc208070000, 0x0, 0x0, 0x0)
    src/bytes/buffer.go:173 +0x242
io/ioutil.readAll(0x7fe5698dc268, 0xc208070000, 0x200, 0x0, 0x0, 0x0, 0x0, 0x0)
    src/io/ioutil/ioutil.go:33 +0x157
io/ioutil.ReadAll(0x7fe5698dc268, 0xc208070000, 0x0, 0x0, 0x0, 0x0, 0x0)
    src/io/ioutil/ioutil.go:42 +0x58
archive/tar.(*Reader).Next(0xc208070000, 0xc208070000, 0x0, 0x0)
    src/archive/tar/reader.go:139 +0x131
main.main()
    tar.go:39 +0x170

David Symonds · Answer 2 · Wed May 27 2015 08:13:01 GMT+0800 (China Standard Time)

Yeah, probably very similar to #10959.

osocurioso · Answer 3 · Wed May 27 2015 16:49:48 GMT+0800 (China Standard Time)

This is a duplicate of #10959, both are due to negative file sizes in the header. Sent fix in CL 10402.

GopherBot · Answer 4 · Wed May 27 2015 17:00:08 GMT+0800 (China Standard Time)

CL https://golang.org/cl/10402 mentions this issue.