Skip to content

Commit

Permalink
archive/tar: don't panic on negative file size
Browse files Browse the repository at this point in the history 
Fixes #10959.
Fixes #10960.

Change-Id: I9a81a0e2b8275338d0d1c3f7f7265e0fd91f3de2
Reviewed-on: https://go-review.googlesource.com/10402
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: David Symonds <dsymonds@golang.org>
  • Loading branch information
@osocurioso @dsymonds
osocurioso authored and dsymonds committed May 27, 2015
1 parent 6551803 commit 02f4084
Show file tree
Hide file tree
Showing 3 changed files with 20 additions and 0 deletions.
4 changes: 4 additions & 0 deletions src/archive/tar/reader.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -463,6 +463,10 @@ func (tr *Reader) readHeader() *Header {
hdr.Uid = int(tr.octal(s.next(8)))
hdr.Gid = int(tr.octal(s.next(8)))
hdr.Size = tr.octal(s.next(12))
if hdr.Size < 0 {
tr.err = ErrHeader
return nil
}
hdr.ModTime = time.Unix(tr.octal(s.next(12)), 0)
s.next(8) // chksum
hdr.Typeflag = s.next(1)[0]
Expand Down
16 changes: 16 additions & 0 deletions src/archive/tar/reader_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -741,3 +741,19 @@ func TestUninitializedRead(t *testing.T) {
}

}

// Negative header size should not cause panic.
// Issues 10959 and 10960.
func TestNegativeHdrSize(t *testing.T) {
f, err := os.Open("testdata/neg-size.tar")
if err != nil {
t.Fatal(err)
}
defer f.Close()
r := NewReader(f)
_, err = r.Next()
if err != ErrHeader {
t.Error("want ErrHeader, got", err)
}
io.Copy(ioutil.Discard, r)
}
Binary file added src/archive/tar/testdata/neg-size.tar
View file
Binary file not shown.

0 comments on commit 02f4084

Please sign in to comment.