Skip to content

Commit 895fb1b

Browse files
rolandshoemakerkatiehockman
rolandshoemaker
authored and
katiehockman
committed
[release-branch.go1.16] archive/zip: only preallocate File slice if reasonably sized
Since the number of files in the EOCD record isn't validated, it isn't safe to preallocate Reader.Files using that field. A malformed archive can indicate it contains up to 1 << 128 - 1 files. We can still safely preallocate the slice by checking if the specified number of files in the archive is reasonable, given the size of the archive. Thanks to the OSS-Fuzz project for discovering this issue and to Emmanuel Odeke for reporting it. Updates #46242 Fixes #46397 Fixes CVE-2021-33196 Change-Id: I3c76d8eec178468b380d87fdb4a3f2cb06f0ee76 Reviewed-on: https://go-review.googlesource.com/c/go/+/318909 Trust: Roland Shoemaker <[email protected]> Trust: Katie Hockman <[email protected]> Trust: Joe Tsai <[email protected]> Run-TryBot: Roland Shoemaker <[email protected]> TryBot-Result: Go Bot <[email protected]> Reviewed-by: Katie Hockman <[email protected]> Reviewed-by: Joe Tsai <[email protected]> (cherry picked from commit 74242ba) Reviewed-on: https://go-review.googlesource.com/c/go/+/322909 Reviewed-by: Filippo Valsorda <[email protected]>
1 parent df6a737 commit 895fb1b

File tree

2 files changed

+68
-1
lines changed

2 files changed

+68
-1
lines changed

src/archive/zip/reader.go

Lines changed: 9 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -99,7 +99,15 @@ func (z *Reader) init(r io.ReaderAt, size int64) error {
9999
return err
100100
}
101101
z.r = r
102-
z.File = make([]*File, 0, end.directoryRecords)
102+
// Since the number of directory records is not validated, it is not
103+
// safe to preallocate z.File without first checking that the specified
104+
// number of files is reasonable, since a malformed archive may
105+
// indicate it contains up to 1 << 128 - 1 files. Since each file has a
106+
// header which will be _at least_ 30 bytes we can safely preallocate
107+
// if (data size / 30) >= end.directoryRecords.
108+
if (uint64(size)-end.directorySize)/30 >= end.directoryRecords {
109+
z.File = make([]*File, 0, end.directoryRecords)
110+
}
103111
z.Comment = end.comment
104112
rs := io.NewSectionReader(r, 0, size)
105113
if _, err = rs.Seek(int64(end.directoryOffset), io.SeekStart); err != nil {

src/archive/zip/reader_test.go

Lines changed: 59 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1166,3 +1166,62 @@ func TestCVE202127919(t *testing.T) {
11661166
t.Errorf("Error reading file: %v", err)
11671167
}
11681168
}
1169+
1170+
func TestCVE202133196(t *testing.T) {
1171+
// Archive that indicates it has 1 << 128 -1 files,
1172+
// this would previously cause a panic due to attempting
1173+
// to allocate a slice with 1 << 128 -1 elements.
1174+
data := []byte{
1175+
0x50, 0x4b, 0x03, 0x04, 0x14, 0x00, 0x08, 0x08,
1176+
0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1177+
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1178+
0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x01, 0x02,
1179+
0x03, 0x62, 0x61, 0x65, 0x03, 0x04, 0x00, 0x00,
1180+
0xff, 0xff, 0x50, 0x4b, 0x07, 0x08, 0xbe, 0x20,
1181+
0x5c, 0x6c, 0x09, 0x00, 0x00, 0x00, 0x03, 0x00,
1182+
0x00, 0x00, 0x50, 0x4b, 0x01, 0x02, 0x14, 0x00,
1183+
0x14, 0x00, 0x08, 0x08, 0x08, 0x00, 0x00, 0x00,
1184+
0x00, 0x00, 0xbe, 0x20, 0x5c, 0x6c, 0x09, 0x00,
1185+
0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x03, 0x00,
1186+
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1187+
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1188+
0x01, 0x02, 0x03, 0x50, 0x4b, 0x06, 0x06, 0x2c,
1189+
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2d,
1190+
0x00, 0x2d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1191+
0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
1192+
0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff, 0xff,
1193+
0xff, 0xff, 0xff, 0x31, 0x00, 0x00, 0x00, 0x00,
1194+
0x00, 0x00, 0x00, 0x3a, 0x00, 0x00, 0x00, 0x00,
1195+
0x00, 0x00, 0x00, 0x50, 0x4b, 0x06, 0x07, 0x00,
1196+
0x00, 0x00, 0x00, 0x6b, 0x00, 0x00, 0x00, 0x00,
1197+
0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x50,
1198+
0x4b, 0x05, 0x06, 0x00, 0x00, 0x00, 0x00, 0xff,
1199+
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1200+
0xff, 0xff, 0xff, 0x00, 0x00,
1201+
}
1202+
_, err := NewReader(bytes.NewReader(data), int64(len(data)))
1203+
if err != ErrFormat {
1204+
t.Fatalf("unexpected error, got: %v, want: %v", err, ErrFormat)
1205+
}
1206+
1207+
// Also check that an archive containing a handful of empty
1208+
// files doesn't cause an issue
1209+
b := bytes.NewBuffer(nil)
1210+
w := NewWriter(b)
1211+
for i := 0; i < 5; i++ {
1212+
_, err := w.Create("")
1213+
if err != nil {
1214+
t.Fatalf("Writer.Create failed: %s", err)
1215+
}
1216+
}
1217+
if err := w.Close(); err != nil {
1218+
t.Fatalf("Writer.Close failed: %s", err)
1219+
}
1220+
r, err := NewReader(bytes.NewReader(b.Bytes()), int64(b.Len()))
1221+
if err != nil {
1222+
t.Fatalf("NewReader failed: %s", err)
1223+
}
1224+
if len(r.File) != 5 {
1225+
t.Errorf("Archive has unexpected number of files, got %d, want 5", len(r.File))
1226+
}
1227+
}

0 commit comments

Comments
 (0)