From 69de764807dae1f3b43badebbb958f7fcb3d70c8 Mon Sep 17 00:00:00 2001 From: Michael Gehring Date: Fri, 12 Jun 2015 22:49:42 +0200 Subject: [PATCH] archive/tar: fix slice bounds out of range Sanity check the pax-header size field before using it. Fixes #11167. Change-Id: I9d5d0210c3990e6fb9434c3fe333be0d507d5962 Reviewed-on: https://go-review.googlesource.com/10954 Reviewed-by: David Symonds Signed-off-by: Vincent Batts --- archive/tar/reader.go | 2 +- archive/tar/reader_test.go | 11 ++++++++--- 2 files changed, 9 insertions(+), 4 deletions(-) diff --git a/archive/tar/reader.go b/archive/tar/reader.go index dbc5698..6f219da 100644 --- a/archive/tar/reader.go +++ b/archive/tar/reader.go @@ -397,7 +397,7 @@ func parsePAX(r io.Reader) (map[string]string, error) { } // Parse the first token as a decimal integer. n, err := strconv.ParseInt(string(buf[:sp]), 10, 0) - if err != nil { + if err != nil || n < 5 || int64(len(buf)) < n { return nil, ErrHeader } // Extract everything between the decimal and the n -1 on the diff --git a/archive/tar/reader_test.go b/archive/tar/reader_test.go index 6ffb383..311db77 100644 --- a/archive/tar/reader_test.go +++ b/archive/tar/reader_test.go @@ -462,9 +462,14 @@ func TestParsePAXHeader(t *testing.T) { t.Error("Buffer wasn't consumed") } } - badHeader := bytes.NewReader([]byte("3 somelongkey=")) - if _, err := parsePAX(badHeader); err != ErrHeader { - t.Fatal("Unexpected success when parsing bad header") + badHeaderTests := [][]byte{ + []byte("3 somelongkey=\n"), + []byte("50 tooshort=\n"), + } + for _, test := range badHeaderTests { + if _, err := parsePAX(bytes.NewReader(test)); err != ErrHeader { + t.Fatal("Unexpected success when parsing bad header") + } } }