Commit e0ac989c authored by Emmanuel T Odeke's avatar Emmanuel T Odeke Committed by Emmanuel Odeke
Browse files

archive/tar: detect out of bounds accesses in PAX records resulting from padded lengths 

Handles the case in which padding of a PAX record's length field
violates invariants about the formatting of record, whereby it no
longer matches the prescribed format:

    "%d %s=%s\n", <length>, <keyword>, <value>

as per:

    https://pubs.opengroup.org/onlinepubs/9699919799/utilities/pax.html#tag_20_92_13_03

0-padding, and paddings of other sorts weren't handled and we assumed
that only non-padded decimal lengths would be passed in.
Added test cases to ensure that the parsing still proceeds as expected.

The prior crashing repro:

    0000000000000000000000000000000030 mtime=1432668921.098285006\n30 ctime=2147483649.15163319

exposed the fallacy in the code, that assumed that the length would ALWAYS be a
non-padded decimal length string.

This bug has existed since Go1.1 as per CL 6700047.

Thanks to Josh Bleecher Snyder for fuzzing this package, and thanks to Tom
Thorogood for advocacy, raising parity with GNU Tar, but for providing more test cases.

Fixes #40196

Change-Id: I32e0af4887bc9221481bd9e8a5120a79f177f08c
Reviewed-on: https://go-review.googlesource.com/c/go/+/289629


Trust: Emmanuel Odeke <emmanuel@orijtech.com>
Trust: Joe Tsai <thebrokentoaster@gmail.com>
Run-TryBot: Emmanuel Odeke <emmanuel@orijtech.com>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: default avatarJoe Tsai <thebrokentoaster@gmail.com>
parent c9d6f45f
Show whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please to comment