From: Go Compiler Team Date: Thu, 20 Apr 2023 14:32:58 +0000 (+0100) Subject: CVE-2021-39293 X-Git-Tag: archive/raspbian/1.11.6-1+rpi1+deb10u7^2~8 X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=bb2a9578c26f03a11456721b94e565babb58935b;p=golang-1.11.git CVE-2021-39293 Origin: https://github.com/golang/go/commit/6c480017ae600b2c90a264a922e041df04dfa785 Reviewed-by: Sylvain Beucler Last-Update: 2022-01-21 Backport note: test case now also deals with prior detection removed in 483d6d99256b3c486e0c99106e232b4909938328 (v1.14) From 6c480017ae600b2c90a264a922e041df04dfa785 Mon Sep 17 00:00:00 2001 From: Roland Shoemaker Date: Wed, 18 Aug 2021 11:49:29 -0700 Subject: [PATCH] [release-branch.go1.16] archive/zip: prevent preallocation check from overflowing If the indicated directory size in the archive header is so large that subtracting it from the archive size overflows a uint64, the check that the indicated number of files in the archive can be effectively bypassed. Prevent this from happening by checking that the indicated directory size is less than the size of the archive. Thanks to the OSS-Fuzz project for discovering this issue and to Emmanuel Odeke for reporting it. Fixes #47985 Updates #47801 Fixes CVE-2021-39293 Change-Id: Ifade26b98a40f3b37398ca86bd5252d12394dd24 Reviewed-on: https://go-review.googlesource.com/c/go/+/343434 Trust: Roland Shoemaker Run-TryBot: Roland Shoemaker TryBot-Result: Go Bot Reviewed-by: Russ Cox (cherry picked from commit bacbc33439b124ffd7392c91a5f5d96eca8c0c0b) Reviewed-on: https://go-review.googlesource.com/c/go/+/345409 Reviewed-by: Emmanuel Odeke Run-TryBot: Emmanuel Odeke Trust: Cherry Mui Gbp-Pq: Name CVE-2021-39293.patch --- diff --git a/src/archive/zip/reader.go b/src/archive/zip/reader.go index a6b67f3..1d0e2c0 100644 --- a/src/archive/zip/reader.go +++ b/src/archive/zip/reader.go @@ -91,7 +91,7 @@ func (z *Reader) init(r io.ReaderAt, size int64) error { // indicate it contains up to 1 << 128 - 1 files. Since each file has a // header which will be _at least_ 30 bytes we can safely preallocate // if (data size / 30) >= end.directoryRecords. - if (uint64(size)-end.directorySize)/30 >= end.directoryRecords { + if end.directorySize < uint64(size) && (uint64(size)-end.directorySize)/30 >= end.directoryRecords { z.File = make([]*File, 0, end.directoryRecords) } z.Comment = end.comment diff --git a/src/archive/zip/reader_test.go b/src/archive/zip/reader_test.go index 8e13bb0..1be7073 100644 --- a/src/archive/zip/reader_test.go +++ b/src/archive/zip/reader_test.go @@ -1105,3 +1105,21 @@ func TestCVE202133196(t *testing.T) { t.Errorf("Archive has unexpected number of files, got %d, want 5", len(r.File)) } } + +func TestCVE202139293(t *testing.T) { + // directory size is so large, that the check in Reader.init + // overflows when subtracting from the archive size, causing + // the pre-allocation check to be bypassed. + data := []byte{ + 0x50, 0x4b, 0x06, 0x06, 0x05, 0x06, 0x31, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x50, 0x4b, + 0x06, 0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, + 0x00, 0x00, 0x50, 0x4b, 0x05, 0x06, 0x00, 0x1a, 0x00, 0x00, 0x00, 0x00, 0x00, 0x50, 0x4b, + 0x06, 0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, + 0x00, 0x00, 0x00, 0x50, 0x4b, 0x05, 0x06, 0x00, 0x31, 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, + 0xff, 0x50, 0xfe, 0x00, 0xff, 0x00, 0x3a, 0x00, 0x00, 0x00, 0xff, + } + _, err := NewReader(bytes.NewReader(data), int64(len(data))) + if err != ErrFormat && !strings.Contains(err.Error(), "TOC declares impossible") { + t.Fatalf("unexpected error, got: %v, want: %v", err, ErrFormat) + } +}