FAQ
Reviewers: golang-dev_googlegroups.com,

Message:
Hello golang-dev@googlegroups.com (cc: golang-dev@googlegroups.com),

I'd like you to review this change to
https://code.google.com/p/go


Description:
archive/zip: Fix bounds check panic for ZIP files with a truncated extra
header.

Please review this at http://codereview.appspot.com/6811080/

Affected files:
M src/pkg/archive/zip/reader.go
M src/pkg/archive/zip/zip_test.go


Index: src/pkg/archive/zip/reader.go
===================================================================
--- a/src/pkg/archive/zip/reader.go
+++ b/src/pkg/archive/zip/reader.go
@@ -238,7 +238,7 @@

if len(f.Extra) > 0 {
b := readBuf(f.Extra)
- for len(b) > 0 {
+ for len(b) > 4 { // need at least tag and size
tag := b.uint16()
size := b.uint16()
if int(size) > len(b) {
@@ -259,6 +259,10 @@
}
b = b[size:]
}
+ // Should have consumed the whole header.
+ if len(b) != 0 {
+ return ErrFormat
+ }
}
return nil
}
Index: src/pkg/archive/zip/zip_test.go
===================================================================
--- a/src/pkg/archive/zip/zip_test.go
+++ b/src/pkg/archive/zip/zip_test.go
@@ -174,13 +174,31 @@
}
}

-// Issue 4302.
-func TestInvalidExtraHedaer(t *testing.T) {
- const timeFormat = "20060102T150405.000.txt"
-
+func testInvalidHeader(h *FileHeader, t *testing.T) {
var buf bytes.Buffer
z := NewWriter(&buf)

+ f, err := z.CreateHeader(h)
+ if err != nil {
+ t.Fatalf("error creating header: %v", err)
+ }
+ if _, err := f.Write([]byte("hi")); err != nil {
+ t.Fatalf("error writing content: %v", err)
+ }
+ if err := z.Close(); err != nil {
+ t.Fatal("error closing zip writer: %v", err)
+ }
+
+ b := buf.Bytes()
+ if _, err = NewReader(bytes.NewReader(b), int64(len(b))); err == nil {
+ t.Fatal("expected ErrFormat")
+ }
+}
+
+// Issue 4302.
+func TestHeaderInvalidTagAndSize(t *testing.T) {
+ const timeFormat = "20060102T150405.000.txt"
+
ts := time.Now()
filename := ts.Format(timeFormat)

@@ -191,19 +209,14 @@
}
h.SetModTime(ts)

- fh, err := z.CreateHeader(&h)
- if err != nil {
- t.Fatalf("error creating header: %v", err)
+ testInvalidHeader(&h, t)
+}
+
+func TestHeaderTooShort(t *testing.T) {
+ h := FileHeader{
+ Name: "foo.txt",
+ Method: Deflate,
+ Extra: []byte{zip64ExtraId}, // missing size
}
- if _, err := fh.Write([]byte("hi")); err != nil {
- t.Fatalf("error writing content: %v", err)
- }
- if err := z.Close(); err != nil {
- t.Fatal("error closing zip writer: %v", err)
- }
-
- b := buf.Bytes()
- if _, err = NewReader(bytes.NewReader(b), int64(len(b))); err == nil {
- t.Fatal("expected ErrFormat")
- }
+ testInvalidHeader(&h, t)
}

Search Discussions

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
groupgolang-dev @
categoriesgo
postedNov 7, '12 at 3:19a
activeNov 12, '12 at 11:21a
posts8
users4
websitegolang.org

4 users in discussion

Davemc: 3 posts Adg: 3 posts Dave: 1 post Gobot: 1 post

People

Translate

site design / logo © 2021 Grokbase