archive/tar: fix slice bounds out of range

Sanity check the pax-header size field before using it. Fixes #11167. Change-Id: I9d5d0210c3990e6fb9434c3fe333be0d507d5962 Reviewed-on: https://go-review.googlesource.com/10954Reviewed-by: David Symonds <dsymonds@golang.org>

archive/tar: fix slice bounds out of range
Sanity check the pax-header size field before using it. Fixes #11167. Change-Id: I9d5d0210c3990e6fb9434c3fe333be0d507d5962 Reviewed-on: https://go-review.googlesource.com/10954Reviewed-by: David Symonds <dsymonds@golang.org>
5acba80a · Michael Gehring · David Symonds · b9bd57e7 · 5acba80a · 5acba80a
Commit 5acba80a authored Jun 12, 2015 by Michael Gehring Committed by David Symonds Jun 12, 2015
Hide whitespace changes
Inline Side-by-side

Showing with 9 additions and 4 deletions

reader.go src/archive/tar/reader.go +1 -1

reader_test.go src/archive/tar/reader_test.go +8 -3

No files found.
--- a/src/archive/tar/reader.go
+++ b/src/archive/tar/reader.go
@@ -333,7 +333,7 @@ func parsePAX(r io.Reader) (map[string]string, error) {
 		}
 		// Parse the first token as a decimal integer.
 		n, err := strconv.ParseInt(string(buf[:sp]), 10, 0)
-		if err != nil {
+		if err != nil || n < 5 || int64(len(buf)) < n {
 			return nil, ErrHeader
 		}
 		// Extract everything between the decimal and the n -1 on the

--- a/src/archive/tar/reader_test.go
+++ b/src/archive/tar/reader_test.go
@@ -462,9 +462,14 @@ func TestParsePAXHeader(t *testing.T) {
 			t.Error("Buffer wasn't consumed")
 		}
 	}
-	badHeader := bytes.NewReader([]byte("3 somelongkey="))
-	if _, err := parsePAX(badHeader); err != ErrHeader {
-		t.Fatal("Unexpected success when parsing bad header")
+	badHeaderTests := [][]byte{
+		[]byte("3 somelongkey=\n"),
+		[]byte("50 tooshort=\n"),
+	}
+	for _, test := range badHeaderTests {
+		if _, err := parsePAX(bytes.NewReader(test)); err != ErrHeader {
+			t.Fatal("Unexpected success when parsing bad header")
+		}
 	}
 }