Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

archive/zip: cap out of range #10956

Closed
dvyukov opened this issue May 26, 2015 · 1 comment
Closed

archive/zip: cap out of range #10956

dvyukov opened this issue May 26, 2015 · 1 comment
Milestone

Comments

@dvyukov
Copy link
Member

dvyukov commented May 26, 2015

The following program crashes with a panic:

package main

import (
    "archive/zip"
    "bytes"
    "io"
    "io/ioutil"
)

func main() {
    data := []byte("PK\x06\x06PK\x06\a0000\x00\x00\x00\x00\x00\x00\x00\x00" +
        "0000PK\x05\x06000000000000" +
        "0000\v\x00000\x00\x00\x00\x00\x00\x00\x000")
    z, err := zip.NewReader(bytes.NewReader(data), int64(len(data)))
    if err != nil {
        if z != nil {
            panic("non nil z")
        }
        return
    }
    for _, f := range z.File {
        r, err := f.Open()
        if err != nil {
            continue
        }
        if f.UncompressedSize64 < 1e6 {
            n, err := io.Copy(ioutil.Discard, r)
            if err == nil && uint64(n) != f.UncompressedSize64 {
                println("bad size:", n, f.UncompressedSize64)
                panic("bad size")
            }
        }
        r.Close()
    }
}
panic: runtime error: makeslice: cap out of range

goroutine 1 [running]:
archive/zip.(*Reader).init(0xc2080104c0, 0x7fbacc72d1e8, 0xc208014450, 0x39, 0x0, 0x0)
    src/archive/zip/reader.go:81 +0xf7
archive/zip.NewReader(0x7fbacc72d1e8, 0xc208014450, 0x39, 0x7fbacc72d1e8, 0x0, 0x0)
    src/archive/zip/reader.go:69 +0x67
main.main()
    zip.go:14 +0x131

This vulnerability makes it dangerous to open any untrusted zip files. I think that the code must check that the provided data size is large enough to contain the claimed number of files. For example, if the header claims to contains 1e9 files, then data size should be at least dozens of gigs (which should be caught by e.g. HTTP content cap).

on commit 8017ace

@dvyukov dvyukov added this to the Go1.5 milestone May 26, 2015
@gopherbot
Copy link
Contributor

CL https://golang.org/cl/10421 mentions this issue.

@bradfitz bradfitz assigned bradfitz and unassigned adg May 27, 2015
@golang golang locked and limited conversation to collaborators Jun 25, 2016
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

No branches or pull requests

4 participants