languages/go
languages/go
1
0
Fork 0
mirror of https://github.com/golang/go synced 2024-11-02 11:50:30 +00:00
Code Issues Projects Releases Packages Wiki Activity

archive/tar: handle integer overflow on 32bit machines

Browse source 
Most calls to strconv.ParseInt(x, 10, 0) should really be
calls to strconv.ParseInt(x, 10, 64) in order to ensure that they
do not overflow on 32b architectures.

Furthermore, we should document a bug where Uid and Gid may
overflow on 32b machines since the type is declared as int.

Change-Id: I99c0670b3c2922e4a9806822d9ad37e1a364b2b8
Reviewed-on: https://go-review.googlesource.com/28472
Run-TryBot: Joe Tsai <thebrokentoaster@gmail.com>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Russ Cox <rsc@golang.org>
This commit is contained in:
Joe Tsai 2016-09-02 21:03:57 -07:00 committed by Joe Tsai
parent 94f49fd40d
commit 14204662c8
2 changed files with 11 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
src/archive/tar/common.go
View file

@ -20,6 +20,10 @@ import (
"time" "time"
) )
// BUG: Use of the Uid and Gid fields in Header could overflow on 32-bit
// architectures. If a large value is encountered when decoding, the result
// stored in Header will be the truncated version.
// Header type flags. // Header type flags.
const ( const (
TypeReg = '0' // regular file TypeReg = '0' // regular file

14
src/archive/tar/reader.go
View file

@ -269,13 +269,13 @@ func (tr *Reader) checkForGNUSparsePAXHeaders(hdr *Header, headers map[string]st
hdr.Name = sparseName hdr.Name = sparseName
} }
if sparseSizeOk { if sparseSizeOk {
realSize, err := strconv.ParseInt(sparseSize, 10, 0) realSize, err := strconv.ParseInt(sparseSize, 10, 64)
if err != nil { if err != nil {
return nil, ErrHeader return nil, ErrHeader
} }
hdr.Size = realSize hdr.Size = realSize
} else if sparseRealSizeOk { } else if sparseRealSizeOk {
realSize, err := strconv.ParseInt(sparseRealSize, 10, 0) realSize, err := strconv.ParseInt(sparseRealSize, 10, 64)
if err != nil { if err != nil {
return nil, ErrHeader return nil, ErrHeader
} }
@ -312,11 +312,11 @@ func mergePAX(hdr *Header, headers map[string]string) (err error) {
case paxGname: case paxGname:
hdr.Gname = v hdr.Gname = v
case paxUid: case paxUid:
id64, err = strconv.ParseInt(v, 10, 0) id64, err = strconv.ParseInt(v, 10, 64)
hdr.Uid = int(id64) hdr.Uid = int(id64) // Integer overflow possible
case paxGid: case paxGid:
id64, err = strconv.ParseInt(v, 10, 0) id64, err = strconv.ParseInt(v, 10, 64)
hdr.Gid = int(id64) hdr.Gid = int(id64) // Integer overflow possible
case paxAtime: case paxAtime:
hdr.AccessTime, err = parsePAXTime(v) hdr.AccessTime, err = parsePAXTime(v)
case paxMtime: case paxMtime:
@ -324,7 +324,7 @@ func mergePAX(hdr *Header, headers map[string]string) (err error) {
case paxCtime: case paxCtime:
hdr.ChangeTime, err = parsePAXTime(v) hdr.ChangeTime, err = parsePAXTime(v)
case paxSize: case paxSize:
hdr.Size, err = strconv.ParseInt(v, 10, 0) hdr.Size, err = strconv.ParseInt(v, 10, 64)
default: default:
if strings.HasPrefix(k, paxXattr) { if strings.HasPrefix(k, paxXattr) {
if hdr.Xattrs == nil { if hdr.Xattrs == nil {