]> Cypherpunks repositories - gostls13.git/commitdiff
projects / gostls13.git / commitdiff
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 4c050fe)
archive/tar: terminate when reading malformed sparse files
authorHÃ¥vard Haugen <havard.haugen@gmail.com>
Thu, 28 May 2015 11:48:47 +0000 (13:48 +0200)
committerDavid Symonds <dsymonds@golang.org>
Thu, 28 May 2015 23:54:54 +0000 (23:54 +0000)
Fixes #10968.

Change-Id: I027bc571a71629ac49c2a0ff101b2950af6e7531
Reviewed-on: https://go-review.googlesource.com/10482
Reviewed-by: David Symonds <dsymonds@golang.org>
Run-TryBot: David Symonds <dsymonds@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>

src/archive/tar/reader.go patch | blob | history
src/archive/tar/reader_test.go patch | blob | history
src/archive/tar/testdata/issue10968.tar [new file with mode: 0644] patch | blob

diff --git a/src/archive/tar/reader.go b/src/archive/tar/reader.go
index cd23fb57d6b12eb94d1129b927833549b5001088..ae0b97e84007d9ac3dc784bc5167888b38a87c6a 100644 (file)
--- a/src/archive/tar/reader.go
+++ b/src/archive/tar/reader.go
@@ -791,6 +791,9 @@ func (sfr *sparseFileReader) Read(b []byte) (n int, err error) {
                // Otherwise, we're at the end of the file
                return 0, io.EOF
        }
+       if sfr.tot < sfr.sp[0].offset {
+               return 0, io.ErrUnexpectedEOF
+       }
        if sfr.pos < sfr.sp[0].offset {
                // We're in a hole
                n = sfr.readHole(b, sfr.sp[0].offset)
diff --git a/src/archive/tar/reader_test.go b/src/archive/tar/reader_test.go
index ab1e8445a425d1aee5d3b912c1a0fcf425f90bee..6ffb383a22ab53eaa90fc13240aadff8ee39b08a 100644 (file)
--- a/src/archive/tar/reader_test.go
+++ b/src/archive/tar/reader_test.go
@@ -757,3 +757,22 @@ func TestNegativeHdrSize(t *testing.T) {
        }
        io.Copy(ioutil.Discard, r)
 }
+
+// This used to hang in (*sparseFileReader).readHole due to missing
+// verification of sparse offsets against file size.
+func TestIssue10968(t *testing.T) {
+       f, err := os.Open("testdata/issue10968.tar")
+       if err != nil {
+               t.Fatal(err)
+       }
+       defer f.Close()
+       r := NewReader(f)
+       _, err = r.Next()
+       if err != nil {
+               t.Fatal(err)
+       }
+       _, err = io.Copy(ioutil.Discard, r)
+       if err != io.ErrUnexpectedEOF {
+               t.Fatalf("expected %q, got %q", io.ErrUnexpectedEOF, err)
+       }
+}
diff --git a/src/archive/tar/testdata/issue10968.tar b/src/archive/tar/testdata/issue10968.tar
new file mode 100644 (file)
index 0000000..1cc837b
Binary files /dev/null and b/src/archive/tar/testdata/issue10968.tar differ
Go GOST TLS 1.3