archive/zip: return error from NewReader when negative size is passed

Fixes #26589

Change-Id: I180883a13cec229093654004b42c48d76ee20272
GitHub-Last-Rev: 2d9879de43fbcfb413116d69accdade6bc042c97
GitHub-Pull-Request: golang/go#26667
Reviewed-on: https://go-review.googlesource.com/126617
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Run-TryBot: Joe Tsai <thebrokentoaster@gmail.com>
TryBot-Result: Gobot Gobot <gobot@golang.org>

diff --git a/src/archive/zip/reader.go b/src/archive/zip/reader.go
index 2444106ba69e9e9b2fc194933b4d39b89ab311f2..2260b398c34e9e95962f1e021d3d847c678ba48c 100644 (file)
--- a/src/archive/zip/reader.go
+++ b/src/archive/zip/reader.go
@@ -69,6 +69,9 @@ func OpenReader(name string) (*ReadCloser, error) {
 // NewReader returns a new Reader reading from r, which is assumed to
 // have the given size in bytes.
 func NewReader(r io.ReaderAt, size int64) (*Reader, error) {
+       if size < 0 {
+               return nil, errors.New("zip: size cannot be negative")
+       }
        zr := new(Reader)
        if err := zr.init(r, size); err != nil {
                return nil, err

diff --git a/src/archive/zip/reader_test.go b/src/archive/zip/reader_test.go
index 1e58b26b6e981cce0cf7578957050f30c914d2b9..6b3f2f33bb4f2c57ed7e15d06d2ef2a936960484 100644 (file)
--- a/src/archive/zip/reader_test.go
+++ b/src/archive/zip/reader_test.go
@@ -658,6 +658,12 @@ func TestInvalidFiles(t *testing.T) {
        if err != ErrFormat {
                t.Errorf("sigs: error=%v, want %v", err, ErrFormat)
        }
+
+       // negative size
+       _, err = NewReader(bytes.NewReader([]byte("foobar")), -1)
+       if err == nil {
+               t.Errorf("archive/zip.NewReader: expected error when negative size is passed")
+       }
 }
 
 func messWith(fileName string, corrupter func(b []byte)) (r io.ReaderAt, size int64) {