archive/tar: slice bounds out of range (2)
dvyukov opened this issue · comments
Dmitry Vyukov commented
The following program crashes with a panic:
package main
import (
"archive/tar"
"bytes"
"io"
"io/ioutil"
)
func main() {
data := []byte("\x13\x0300\x13\x03-821950296t\x13\x13\x83" +
"s|\x83s\x1300qw\xe1f\xbb\x03000\x00\x00\x00\x10" +
"011\x13s\xf410100t\x13\x13\x83s|\x83ss" +
"\x000\x13s|\x83ss\xf4xS\x13s\xf410100t" +
"\x13\x13\x83s|\x83ss\xf40\x13s|\x83ss\xf4qS0" +
"\xd4t0\x1300q0\xf40\x00\x00\x00\x1001\x80\x00\x100" +
"11\x13s\xf4101\xf40t\x1300q\xd4\xe1f\xbb\x03" +
"\x00\x00\x00\xff\x80\x80\x80\x00\x80\x00\x00\x00\x00\x00\x9b\x92x\x13\xff\xff" +
"\xff\x80100txS00t0\x1300qw010" +
"100t\x13\x13\x83s|\x83ss\xf4xS00t0\x13" +
"00qw\xe1f\xbb\x03000\x00\x00\x00\x10011\x13s" +
"\xf410100t\x13\x13\x83s|\x83ss\xf40\x13s|" +
"\x83ss\xf4xS\x13s\xf410100t\x13\x13\x83s|" +
"\x83ss00\x13s|\x83ss\xf4xS00t0\x130" +
"0q00\x00\x80\x00\x00\x1001s\xf410100t\x13" +
"\x00\x00\x00 \xe1f\xbb\x0304\x00\x00\x00\x10011\x13\xff\xff" +
"\xff\x80100txS00t0\x1300qw\xe1f\xbb" +
"\x03000\x00\x00\x00\x10011\x13s\x83ss\xf4xS\x13" +
"s\xf410100t\x13\x13\x83s|\x83ss\xf4311" +
"033624846128380s|\x83ss" +
"\xf41S00t0\x1300q000\x00\x00\x00\x1001" +
"\x00\x00\x10011\x13s\xf410100t\x1300q\xd4" +
"\xe1f\xbb\x0304\x00\x00\x00\x10\x83s|\x83ss\xf40\x13s" +
"|\x83ss0xS00t0\x1300q000\x00\x00" +
"\x00\x1001\x00\x00\x10011\x13s\xf410100t\x13" +
"00x0\xe1f\xbb\x03\x00\x00\x100")
t := tar.NewReader(bytes.NewReader(data))
for {
_, err := t.Next()
if err != nil {
return
}
io.Copy(ioutil.Discard, t)
}
}
panic: runtime error: slice bounds out of range [recovered]
panic: runtime error: slice bounds out of range
goroutine 1 [running]:
io/ioutil.readAll.func1(0xc208041c58)
src/io/ioutil/ioutil.go:30 +0x121
archive/tar.(*regFileReader).Read(0xc20800e420, 0xc20806e400, 0x200, 0x200, 0xc208070139, 0x0, 0x0)
src/archive/tar/reader.go:748 +0x170
archive/tar.(*Reader).Read(0xc208070000, 0xc20806e400, 0x200, 0x200, 0x200, 0x0, 0x0)
src/archive/tar/reader.go:735 +0x9d
bytes.(*Buffer).ReadFrom(0xc208041bb0, 0x7f7a1683f268, 0xc208070000, 0x0, 0x0, 0x0)
src/bytes/buffer.go:173 +0x242
io/ioutil.readAll(0x7f7a1683f268, 0xc208070000, 0x200, 0x0, 0x0, 0x0, 0x0, 0x0)
src/io/ioutil/ioutil.go:33 +0x157
io/ioutil.ReadAll(0x7f7a1683f268, 0xc208070000, 0x0, 0x0, 0x0, 0x0, 0x0)
src/io/ioutil/ioutil.go:42 +0x58
archive/tar.parsePAX(0x7f7a1683f268, 0xc208070000, 0x5edc78, 0x0, 0x0)
src/archive/tar/reader.go:314 +0x55
archive/tar.(*Reader).Next(0xc208070000, 0xc208070000, 0x0, 0x0)
src/archive/tar/reader.go:106 +0x4a2
main.main()
tar.go:39 +0x170
on commit 8017ace
Dmitry Vyukov commented
Here is another input:
"\x13\x0380\x13\x03-821950296t\x13\x13\x83" +
"s|\x83s\x1300qw\xe1f\xbb\x03000\x00\x00\x00\x10" +
"011\x13s\xf410100t\x13\x13\x83s|\x83ss" +
"\x000\x13s|\x83ss\xf4xS\x13s\xf410100t" +
"\x13\x13\x83s|\x83ss\xf40\x13s|\x83ss\xf4qS0" +
"\xd4t0\x1300q0\xf40\x00\x00\x00\x1001\x80\x00\x100" +
"11\x13s\xf4101\xbb0t\x1300q\xd4\xe1f\xbb\x03" +
"\x00\x00\x00\xff\x80\x80\x80\x00\x80\x00\x00\x00\x00\x00\x9b\x92K\x13\xff\xff" +
"\xff\x80100txS00t0\x1300qw010" +
"100t\x13\x13\x83s|\x83ss\xf4xS00t0\x13" +
"00qw\xe1f\xbb\x03000\x00\x00\x00\x10011\x13s" +
"\xf410100t\x13\x13\x83s|\x83ss\xf40\x13s|" +
"\x83ss\xf4xS\x13s\xf4101\x00\x10t\x13\x13\x83s|" +
"\x83ss00\x13s|\x83ss\xf4x\u007f\x10\x01\x00100" +
"t0\x1300q00\x00\x80\x00\x00\x1001s\xf4101" +
"00t\x13\x00\x00\x00 \xe1f0\x0304\x00\x00\x00\x1001" +
"1\x13\xff\xff\xff\x80100txS00t0\x1300q" +
"w\xe1f\xbb\x03000\x00\x00\x00\x10011\x13s\x83ss" +
"\xf4xS\x13s\xf410100t\x13\x13\x83s|\x83ss" +
"\xf4311033624846128380s" +
"|\x83ss\xf4xS00t0\x1300q000\x00\x00" +
"\x00\x1001\x00\x00\x10011\x13s\xf410100t\x13" +
"00q\xd4\xe1f\xbb\x0304\x00\x00\x00\x10\x83s|\x83ss" +
"\xf40\x13s|\x83ss\xf4xS00t0\x1300q0" +
"00\x00\x00\x00\x1001\x00\x00\x10011\x13s\xf4101" +
"00t\x1300x0\xe1f\xbb\x03"
It is probably the same bug, but it leads to slightly different stack trace, so please test separately:
panic: runtime error: slice bounds out of range [recovered]
panic: runtime error: slice bounds out of range
goroutine 1 [running]:
io/ioutil.readAll.func1(0xc208041da0)
src/io/ioutil/ioutil.go:30 +0x121
archive/tar.(*regFileReader).Read(0xc20800e420, 0xc20806e400, 0x200, 0x200, 0x184, 0x0, 0x0)
src/archive/tar/reader.go:748 +0x170
archive/tar.(*Reader).Read(0xc208070000, 0xc20806e400, 0x200, 0x200, 0x200, 0x0, 0x0)
src/archive/tar/reader.go:735 +0x9d
bytes.(*Buffer).ReadFrom(0xc208041cf8, 0x7fe5698dc268, 0xc208070000, 0x0, 0x0, 0x0)
src/bytes/buffer.go:173 +0x242
io/ioutil.readAll(0x7fe5698dc268, 0xc208070000, 0x200, 0x0, 0x0, 0x0, 0x0, 0x0)
src/io/ioutil/ioutil.go:33 +0x157
io/ioutil.ReadAll(0x7fe5698dc268, 0xc208070000, 0x0, 0x0, 0x0, 0x0, 0x0)
src/io/ioutil/ioutil.go:42 +0x58
archive/tar.(*Reader).Next(0xc208070000, 0xc208070000, 0x0, 0x0)
src/archive/tar/reader.go:139 +0x131
main.main()
tar.go:39 +0x170
David Symonds commented
Yeah, probably very similar to #10959.
osocurioso commented
This is a duplicate of #10959, both are due to negative file sizes in the header. Sent fix in CL 10402.
GopherBot commented
CL https://golang.org/cl/10402 mentions this issue.