crypto/cipher: StreamReader.Read() panics with slice bounds out of range #16487
Labels
Comments
bradfitz
changed the title
|
The issue happens because Relevant code here: Line 21 in 0104a31 A simple fix would be: func (r StreamReader) Read(dst []byte) (n int, err error) {
n, err = r.R.Read(dst)
if n <= 0 { return }
r.S.XORKeyStream(dst[:n], dst[:n])
return
} |
|
Can an io.Reader return negative n with error?
I think such a misbehaving Reader will cause panics in
a lot of places (e.g. io/ioutil.ReadAll).
|
|
@minux It can happen, for example with |
|
According to docs of io.Reader: https://golang.org/pkg/io/#Reader
"It returns the number of bytes read (0 <= n <= len(p)) and any error
encountered."
I think this is working as intended. Read can only return non-negative n.
|
|
Yeah, there's nothing to fix here. -1 is not a valid return value from an io.Reader, which has a different contract from the syscall package. Normally when a function returns a value and an error, the value is ignored if the error is non-nil, but io.Reader specifically says that both the integer and error are used. As @minux pointed out, it's documented as needing to be >= 0. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Please answer these questions before submitting your issue. Thanks!
What version of Go are you using (
go version)?1.6.3
What operating system and processor architecture are you using (
go env)?darwin/amd64
What did you do?
If possible, provide a recipe for reproducing the error.
A complete runnable program is good.
A link on play.golang.org is best.
https://play.golang.org/p/K9hAxbE5fL
What did you expect to see?
It should not panic.
What did you see instead?
panic: runtime error: slice bounds out of range
The text was updated successfully, but these errors were encountered: