From: Meng Zhuo <mzh@golangcn.org>
Date: Wed, 24 Nov 2021 08:33:14 +0000 (+0800)
Subject: archive/zip: fail fast if UncompressedSize64 < nread
X-Git-Tag: go1.19beta1~725
X-Git-Url: http://www.git.cypherpunks.su/?a=commitdiff_plain;h=b6fb3af6af9835962ce1de1e1afcaa46726a654e;p=gostls13.git

archive/zip: fail fast if UncompressedSize64 < nread

The zip reader checks that the uncompressed file size is valid
after all compressed files read until EOF.
However in between reading each file, there could have already
been an overflow where nread > UncompressedSize64 hence this
change will now return ErrFormat in such situations.

Fixes #49791

Change-Id: If3584a57d173de6a97bf35c07d2a99ff6972f820
Reviewed-on: https://go-review.googlesource.com/c/go/+/366854
Trust: mzh <mzh@golangcn.org>
Run-TryBot: Ian Lance Taylor <iant@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Emmanuel Odeke <emmanuel@orijtech.com>
Trust: Emmanuel Odeke <emmanuel@orijtech.com>
---

diff --git a/src/archive/zip/reader.go b/src/archive/zip/reader.go
index 92fd6f6a92..b4f6a8d714 100644
--- a/src/archive/zip/reader.go
+++ b/src/archive/zip/reader.go
@@ -229,6 +229,9 @@ func (r *checksumReader) Read(b []byte) (n int, err error) {
 	n, err = r.rc.Read(b)
 	r.hash.Write(b[:n])
 	r.nread += uint64(n)
+	if r.nread > r.f.UncompressedSize64 {
+		return 0, ErrFormat
+	}
 	if err == nil {
 		return
 	}
diff --git a/src/archive/zip/reader_test.go b/src/archive/zip/reader_test.go
index 9bc23642c0..fd0a171304 100644
--- a/src/archive/zip/reader_test.go
+++ b/src/archive/zip/reader_test.go
@@ -1407,3 +1407,30 @@ func TestCVE202141772(t *testing.T) {
 		t.Errorf("Inconsistent name in info entry: %v", name)
 	}
 }
+
+func TestUnderSize(t *testing.T) {
+	z, err := OpenReader("testdata/readme.zip")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer z.Close()
+
+	for _, f := range z.File {
+		f.UncompressedSize64 = 1
+	}
+
+	for _, f := range z.File {
+		t.Run(f.Name, func(t *testing.T) {
+			rd, err := f.Open()
+			if err != nil {
+				t.Fatal(err)
+			}
+			defer rd.Close()
+
+			_, err = io.Copy(io.Discard, rd)
+			if err != ErrFormat {
+				t.Fatalf("Error mismatch\n\tGot:  %v\n\tWant: %v", err, ErrFormat)
+			}
+		})
+	}
+}