archive/tar: fix slice bounds out of range

Sanity check the pax-header size field before using it.

Fixes #11167.

Change-Id: I9d5d0210c3990e6fb9434c3fe333be0d507d5962
Reviewed-on: https://go-review.googlesource.com/10954
Reviewed-by: David Symonds <dsymonds@golang.org>

diff --git a/src/archive/tar/reader.go b/src/archive/tar/reader.go
index ae0b97e84007d9ac3dc784bc5167888b38a87c6a..8662e5643b47b9f19ed2790079e5ac30e867ec97 100644 (file)
--- a/src/archive/tar/reader.go
+++ b/src/archive/tar/reader.go
@@ -333,7 +333,7 @@ func parsePAX(r io.Reader) (map[string]string, error) {
                }
                // Parse the first token as a decimal integer.
                n, err := strconv.ParseInt(string(buf[:sp]), 10, 0)
-               if err != nil {
+               if err != nil || n < 5 || int64(len(buf)) < n {
                        return nil, ErrHeader
                }
                // Extract everything between the decimal and the n -1 on the

diff --git a/src/archive/tar/reader_test.go b/src/archive/tar/reader_test.go
index 6ffb383a22ab53eaa90fc13240aadff8ee39b08a..311db7764128fb28dd5ac9bfd38f9b0098d790bd 100644 (file)
--- a/src/archive/tar/reader_test.go
+++ b/src/archive/tar/reader_test.go
@@ -462,9 +462,14 @@ func TestParsePAXHeader(t *testing.T) {
                        t.Error("Buffer wasn't consumed")
                }
        }
-       badHeader := bytes.NewReader([]byte("3 somelongkey="))
-       if _, err := parsePAX(badHeader); err != ErrHeader {
-               t.Fatal("Unexpected success when parsing bad header")
+       badHeaderTests := [][]byte{
+               []byte("3 somelongkey=\n"),
+               []byte("50 tooshort=\n"),
+       }
+       for _, test := range badHeaderTests {
+               if _, err := parsePAX(bytes.NewReader(test)); err != ErrHeader {
+                       t.Fatal("Unexpected success when parsing bad header")
+               }
        }
 }