Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

archive/zip: file might overflowed while decompressing #49791

Closed
mengzhuo opened this issue Nov 25, 2021 · 2 comments
Closed

archive/zip: file might overflowed while decompressing #49791

mengzhuo opened this issue Nov 25, 2021 · 2 comments
Labels
FrozenDueToAge NeedsFix The path to resolution is known, but the work has not been done.
Milestone
Go1.19

Comments

@mengzhuo
Copy link
Contributor

Consider this logic from tip.

go/src/archive/zip/reader.go

Lines 229 to 234 in f7e34e7

n, err = r.rc.Read(b)
r.hash.Write(b[:n])
r.nread += uint64(n)
if err == nil {
return
}

The reader only checks file size after all the read of compress file is done, however it's possible that a malformed zip file already overflow during the decompress process.

PoC ( you can setup a malformed zip file for sure) :

func TestUnderSize(t *testing.T) {
	z, err := OpenReader("testdata/readme.zip")
	if err != nil {
		t.Fatal(err)
	}
	defer z.Close()

	for _, f := range z.File {
		f.UncompressedSize64 = 1
	}

	for _, f := range z.File {
		rd, err := f.Open()
		if err != nil {
			t.Fatal(err)
		}
		defer rd.Close()

		_, err = io.Copy(io.Discard, rd)
		if err == nil || err != nil && err != ErrFileSize {
			t.Fatal(err)
		}
	}
}

We need an easy fail-fast while reading the zip file.
@gopherbot
Copy link

Change https://golang.org/cl/366854 mentions this issue: archive/zip: fast-fail while file size is invalid

@seankhliao seankhliao added the NeedsFix The path to resolution is known, but the work has not been done. label Nov 25, 2021
@dmitshur dmitshur added this to the Go1.19 milestone Apr 11, 2022
@bcmills bcmills mentioned this issue Apr 11, 2022
Closed
@gopherbot
Copy link

Change https://go.dev/cl/399774 mentions this issue: zip: update TestUnzipSizeLimitsSpecial for CL 366854

gopherbot pushed a commit to golang/mod that referenced this issue Apr 12, 2022
@ianlancetaylor @gopherbot
zip: update TestUnzipSizeLimitsSpecial for CL 366854
41445a1 
For golang/go#49791
Fixes golang/go#52283

Change-Id: If0ddb73d06b371cb09f574e29ed2e872076a3e1a
Reviewed-on: https://go-review.googlesource.com/c/mod/+/399774
Run-TryBot: Ian Lance Taylor <iant@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Bryan Mills <bcmills@google.com>
Reviewed-by: Ian Lance Taylor <iant@google.com>
Run-TryBot: Ian Lance Taylor <iant@google.com>
Auto-Submit: Ian Lance Taylor <iant@google.com>
@golang golang locked and limited conversation to collaborators Apr 11, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge NeedsFix The path to resolution is known, but the work has not been done.
Projects
None yet
Milestone
Go1.19
Development

No branches or pull requests
4 participants
@mengzhuo @dmitshur @gopherbot @seankhliao