archive/zip: bad file size

[dvyukov]

The following program crashes with a panic:

package main

import (
    "archive/zip"
    "bytes"
    "io"
    "io/ioutil"
)

func main() {
    data := []byte("PK\x03\x040000000PK\x01\x0200000" +
        "0000000000000000000\x00" +
        "\x00\x00\x00\x00\x00000000000000PK\x01" +
        "\x020000000000000000000" +
        "00000\v\x00\x00\x00\x00\x00000000000" +
        "00000000000000PK\x01\x0200" +
        "00000000000000000000" +
        "00\v\x00\x00\x00\x00\x00000000000000" +
        "00000000000PK\x01\x020000<" +
        "0\x00\x0000000000000000\v\x00\v" +
        "\x00\x00\x00\x00\x0000000000\x00\x00\x00\x00000" +
        "00000000PK\x01\x0200000000" +
        "0000000000000000\v\x00\x00\x00" +
        "\x00\x0000PK\x05\x06000000\x05\x000000" +
        "\v\x00\x00\x00\x00\x00")
    z, err := zip.NewReader(bytes.NewReader(data), int64(len(data)))
    if err != nil {
        if z != nil {
            panic("non nil z")
        }
        return
    }
    for _, f := range z.File {
        r, err := f.Open()
        if err != nil {
            continue
        }
        if f.UncompressedSize64 < 1e6 {
            n, err := io.Copy(ioutil.Discard, r)
            if err == nil && uint64(n) != f.UncompressedSize64 {
                println("bad size:", n, f.UncompressedSize64)
                panic("bad size")
            }
        }
        r.Close()
    }
}

bad size: 0 733232
panic: bad size

If a file read succeeds (err==nil), then the file size should be checked against UncompressedSize. That is, if actual file data is shorter than UncompressedSize, then Read should return io.UnexpectedEOF; if actual file data is larger than UncompressedSize, then Read should stop at UncompressedSize and return an error. That last case (actual data is larger than claimed size) is particularly dangerous (I don't know if this kind of vulnerability is possible, but I suspect it is).

on commit 8017ace

[gopherbot]

CL https://golang.org/cl/10384 mentions this issue.