Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

archive/tar: slice bounds out of range (3) #10966

Closed
dvyukov opened this issue May 27, 2015 · 5 comments
Closed

archive/tar: slice bounds out of range (3) #10966

dvyukov opened this issue May 27, 2015 · 5 comments
Labels
FrozenDueToAge help wanted
Milestone
Unplanned

Comments

@dvyukov
Copy link
Member

dvyukov commented May 27, 2015

The following program crashes with a panic:

package main

import (
    "archive/tar"
    "bytes"
    "io"
    "io/ioutil"
)

func main() {
    data := []byte("\x13\x0300\x13\x03-821950\x0096t\x13\x13\x83" +
        "s|\x83s\x1300qw\xe1f\xbb\x03000\x00\x00\x00\x10" +
        "011\x13s\xf410100t\x13\x13\x83s|\x83ss" +
        "\x000\x13s|\x83ss\xf4xS\x13s\xf410100t" +
        "\x13\x13\x83s|\x00ss\xf40\x13s|\x83ss0qS0" +
        "\xd4t0\x1300q0\xf40\x00\x00\x00\x1001\x80\x00\x100" +
        "11\x13s\xf410100t\x1300q\xd4\xe1f\xbb\x03" +
        "\x00\x00\x00\xff\x80\x80\x80\x00\x80\x00\x00\x00\x00\x00j.S\x13\xff\xff" +
        "\xff\x80100txS00t0\x1300qw010" +
        "100t\x13\x13\x83s|\x83ss\xf4xS00t0\x13" +
        "00qw\xe1f\xbb\x03000\x00\x00\x00\x10011\x13s" +
        "\xf410100t\x13\x13\x83s|\x83ss\xf40\x13s|" +
        "\x83s\xf4\xf4xS\x13s\xf410100t\x13\x13\x83s|" +
        "4ss00\x13s|\x83sssx100t0\x130" +
        "0q00\x00\x80\x00\x00\x1001s\xf4100\x0000t" +
        "\x13\x00\x00\x00 \xe1f\xbb\x0304\x00\x00\x00\x10011\x13\xff" +
        "\xff\xff\x80100txS00t0\x1300qw\xe1f" +
        "\xbb\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +
        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +
        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x002\x00\x00\x00\x00" +
        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +
        "\x00\x00\x00\x00\x001\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +
        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +
        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +
        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +
        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00")
    t := tar.NewReader(bytes.NewReader(data))
    for {
        _, err := t.Next()
        if err != nil {
            return
        }
        io.Copy(ioutil.Discard, t)
    }
}
panic: runtime error: slice bounds out of range

goroutine 1 [running]:
archive/tar.(*sparseFileReader).Read(0xc2080143c0, 0xc208074000, 0x2000, 0x2000, 0x0, 0x0, 0x0)
    src/archive/tar/reader.go:800 +0x2da
archive/tar.(*Reader).Read(0xc208070000, 0xc208074000, 0x2000, 0x2000, 0x0, 0x0, 0x0)
    src/archive/tar/reader.go:735 +0x9d
io/ioutil.devNull.ReadFrom(0x0, 0x7efd372e3298, 0xc208070000, 0x2, 0x0, 0x0)
    src/io/ioutil/ioutil.go:151 +0xa1
io/ioutil.(*devNull).ReadFrom(0xc20800a4a0, 0x7efd372e3298, 0xc208070000, 0xc208041e40, 0x0, 0x0)
    <autogenerated>:9 +0xb4
io.copyBuffer(0x7efd372e31c0, 0xc20800a4a0, 0x7efd372e3298, 0xc208070000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0)
    src/io/io.go:375 +0x183
io.Copy(0x7efd372e31c0, 0xc20800a4a0, 0x7efd372e3298, 0xc208070000, 0x200, 0x0, 0x0)
    src/io/io.go:351 +0x6b
main.main()
    tar.go:43 +0x1df

on commit 8017ace
@dvyukov dvyukov added this to the Go1.5 milestone May 27, 2015
@dsymonds dsymonds modified the milestones: Go1.5Maybe, Go1.5 May 27, 2015
@dsymonds dsymonds removed their assignment May 27, 2015
@kf6nux kf6nux mentioned this issue May 29, 2015
Closed
@osocurioso
Copy link
Contributor

I believe this was fixed by c2fe4a0.

@dvyukov
Copy link
Member Author

dvyukov commented May 30, 2015

Still happens on tip. Note that the top frame is different than in other crashes.

@kf6nux
Copy link

kf6nux commented May 30, 2015

Cannot reproduce on master branch (built as of c04813e)

@rsc
Copy link
Contributor

rsc commented Jun 1, 2015

It's too late in the Go 1.5 release process for fuzzer bugs. The chance of hitting any of these is so low that the benefit of the fix is outweighed by the chance of the fix introducing a more serious bug.

@rsc rsc modified the milestones: Unplanned, Go1.5Maybe Jun 1, 2015
@dvyukov
Copy link
Member Author

dvyukov commented Jun 2, 2015

Yeah, I probably did not run 'go install archive/tar' after pull. Can't reproduce it on fresh build as well. Closing.

@dvyukov dvyukov closed this as completed Jun 2, 2015
@golang golang locked and limited conversation to collaborators Jun 25, 2016
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge help wanted
Projects
None yet
Milestone
Unplanned
Development

No branches or pull requests
6 participants
@dsymonds @rsc @osocurioso @dvyukov @gopherbot @kf6nux