compress/flate: index out of bounds on >2GB input #3676
Labels
Comments
With some debugging prints:
chainHead=0 hashOffset=-2147188735 diff=2147188735
BAD i=2147188735 length=2 len(win)=58734
panic: runtime error: index out of range
goroutine 1 [running]:
compress/flate.(*compressor).findMatch(0x42191160, 0x7ffb7fff0000e46c,
0x1b9400000002, 0x2, 0x42179100, ...)
/Users/rsc/g/go/src/pkg/compress/flate/deflate.go:160 +0x29c
compress/flate.(*compressor).deflate(0x42191160, 0x422bc400)
/Users/rsc/g/go/src/pkg/compress/flate/deflate.go:270 +0x4ea
compress/flate.(*compressor).write(0x42191160, 0x422bcee8,
0x66e0000066e, 0x1156, 0x0, ...)
/Users/rsc/g/go/src/pkg/compress/flate/deflate.go:363 +0x9f
compress/flate.(*Writer).Write(0x42191160, 0x422bc400, 0x115600001156,
0x100000001156, 0x0, ...)
/Users/rsc/g/go/src/pkg/compress/flate/deflate.go:473 +0x54
compress/gzip.(*Writer).Write(0x421910b0, 0x422bc400, 0x115600001156,
0x115600001156, 0x0, ...)
/Users/rsc/g/go/src/pkg/compress/gzip/gzip.go:190 +0x56c
main.main()
/Users/rsc/Downloads/x.go:64 +0x9f8
|
Thanks for the reproduction case. If I bound the arguments to findMatch the problem goes
away (diff below) but I am concerned that there are other wraparound bugs lurking. I
will ask the person who wrote the code initially.
diff -r 7637a893613f src/pkg/compress/flate/deflate.go
--- a/src/pkg/compress/flate/deflate.go Tue May 29 14:37:41 2012 -0400
+++ b/src/pkg/compress/flate/deflate.go Tue May 29 15:43:15 2012 -0400
@@ -154,6 +154,9 @@
minIndex := pos - windowSize
for i := prevHead; tries > 0; tries-- {
+if i < 0 || i+1 >= len(win) || i+length >= len(win) || i+length < 0 {
+ print("BAD i=", i, " length=", length, " len(win)=", len(win), "\n")
+}
if w0 == win[i] && w1 == win[i+1] && wEnd == win[i+length] {
// The hash function ensures that if win[i] and win[i+1] match, win[i+2] matches
@@ -260,10 +263,11 @@
minIndex = 0
}
- if d.chainHead-d.hashOffset >= minIndex &&
+ if off := d.chainHead-d.hashOffset; off >= minIndex && off < len(d.window) &&
(d.fastSkipHashing != skipNever && lookahead > minMatchLength-1 ||
d.fastSkipHashing == skipNever && lookahead > prevLength && prevLength < d.lazy) {
- if newLength, newOffset, ok := d.findMatch(d.index, d.chainHead-d.hashOffset,
minMatchLength-1, lookahead); ok {
+if d.chainHead-d.hashOffset > 1<<29 { print("chainHead=", d.chainHead, "
hashOffset=", d.hashOffset, " diff=", off, "\n") }
+ if newLength, newOffset, ok := d.findMatch(d.index, off, minMatchLength-1,
lookahead); ok {
d.length = newLength
d.offset = newOffset
}
Labels changed: added priority-later, removed priority-triage. Status changed to Accepted. |
The fix is on the review: http://golang.org/cl/6249067/ It's completely my fault. |
Yes, sorry. Usually we write "Fixes issue #3676." in the CL description and then it closes automatically. I missed that that was missing. Status changed to Fixed. |
This issue was closed.
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
by painted.now:
Attachments:
The text was updated successfully, but these errors were encountered: