archive/zip: file with wrong checksum is successfully decompressed

Question

archive/zip: file with wrong checksum is successfully decompressed

dvyukov opened this issue 9 years ago · 1 comments

The following program crashes with the panic:

package main

import (
    "archive/zip"
    "bytes"
    "hash/crc32"
    "io/ioutil"
)

func main() {
    data := []byte("PK\x03\x040000000000000000" +
        "000000\x01\x00\x00\x000\x01\x00\x00\xff\xff0000" +
        "0000000000000000PK\x01\x02" +
        "0000\b0\b\x00000000000000" +
        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x000000PK\x05\x06\x00\x00" +
        "\x00\x0000\x01\x0000008\x00\x00\x00\x00\x00")
    z, err := zip.NewReader(bytes.NewReader(data), int64(len(data)))
    if err != nil {
        panic(err)
    }
    for _, f := range z.File {
        r, err := f.Open()
        if err != nil {
            panic(err)
        }
        c, err := ioutil.ReadAll(r)
        if err != nil {
            panic(err)
        }
        if crc := crc32.ChecksumIEEE(c); crc != f.CRC32 {
            println(crc, f.CRC32)
            panic("bad checksum")
        }
        r.Close()
    }
}

0 808464432
panic: bad checksum

go version devel +b0532a9 Mon Jun 8 05:13:15 2015 +0000 linux/amd64

Answer 1 · 2015-06-13T10:00:07.000Z

CL https://golang.org/cl/11070 mentions this issue.