archive/zip: bad file size
dvyukov opened this issue · 1 comments
dvyukov commented
The following program crashes with a panic:
package main
import (
"archive/zip"
"bytes"
"io"
"io/ioutil"
)
func main() {
data := []byte("PK\x03\x040000000PK\x01\x0200000" +
"0000000000000000000\x00" +
"\x00\x00\x00\x00\x00000000000000PK\x01" +
"\x020000000000000000000" +
"00000\v\x00\x00\x00\x00\x00000000000" +
"00000000000000PK\x01\x0200" +
"00000000000000000000" +
"00\v\x00\x00\x00\x00\x00000000000000" +
"00000000000PK\x01\x020000<" +
"0\x00\x0000000000000000\v\x00\v" +
"\x00\x00\x00\x00\x0000000000\x00\x00\x00\x00000" +
"00000000PK\x01\x0200000000" +
"0000000000000000\v\x00\x00\x00" +
"\x00\x0000PK\x05\x06000000\x05\x000000" +
"\v\x00\x00\x00\x00\x00")
z, err := zip.NewReader(bytes.NewReader(data), int64(len(data)))
if err != nil {
if z != nil {
panic("non nil z")
}
return
}
for _, f := range z.File {
r, err := f.Open()
if err != nil {
continue
}
if f.UncompressedSize64 < 1e6 {
n, err := io.Copy(ioutil.Discard, r)
if err == nil && uint64(n) != f.UncompressedSize64 {
println("bad size:", n, f.UncompressedSize64)
panic("bad size")
}
}
r.Close()
}
}bad size: 0 733232
panic: bad size
If a file read succeeds (err==nil), then the file size should be checked against UncompressedSize. That is, if actual file data is shorter than UncompressedSize, then Read should return io.UnexpectedEOF; if actual file data is larger than UncompressedSize, then Read should stop at UncompressedSize and return an error. That last case (actual data is larger than claimed size) is particularly dangerous (I don't know if this kind of vulnerability is possible, but I suspect it is).
on commit 8017ace
gopherbot commented
CL https://golang.org/cl/10384 mentions this issue.