Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

archive/zip: bad file size #10957

dvyukov opened this issue May 26, 2015 · 1 comment

archive/zip: bad file size #10957

dvyukov opened this issue May 26, 2015 · 1 comment


Copy link

@dvyukov dvyukov commented May 26, 2015

The following program crashes with a panic:

package main

import (

func main() {
    data := []byte("PK\x03\x040000000PK\x01\x0200000" +
        "0000000000000000000\x00" +
        "\x00\x00\x00\x00\x00000000000000PK\x01" +
        "\x020000000000000000000" +
        "00000\v\x00\x00\x00\x00\x00000000000" +
        "00000000000000PK\x01\x0200" +
        "00000000000000000000" +
        "00\v\x00\x00\x00\x00\x00000000000000" +
        "00000000000PK\x01\x020000<" +
        "0\x00\x0000000000000000\v\x00\v" +
        "\x00\x00\x00\x00\x0000000000\x00\x00\x00\x00000" +
        "00000000PK\x01\x0200000000" +
        "0000000000000000\v\x00\x00\x00" +
        "\x00\x0000PK\x05\x06000000\x05\x000000" +
    z, err := zip.NewReader(bytes.NewReader(data), int64(len(data)))
    if err != nil {
        if z != nil {
            panic("non nil z")
    for _, f := range z.File {
        r, err := f.Open()
        if err != nil {
        if f.UncompressedSize64 < 1e6 {
            n, err := io.Copy(ioutil.Discard, r)
            if err == nil && uint64(n) != f.UncompressedSize64 {
                println("bad size:", n, f.UncompressedSize64)
                panic("bad size")
bad size: 0 733232
panic: bad size

If a file read succeeds (err==nil), then the file size should be checked against UncompressedSize. That is, if actual file data is shorter than UncompressedSize, then Read should return io.UnexpectedEOF; if actual file data is larger than UncompressedSize, then Read should stop at UncompressedSize and return an error. That last case (actual data is larger than claimed size) is particularly dangerous (I don't know if this kind of vulnerability is possible, but I suspect it is).

on commit 8017ace

@dvyukov dvyukov added this to the Go1.5 milestone May 26, 2015
Copy link

@gopherbot gopherbot commented May 26, 2015

CL mentions this issue.

@bradfitz bradfitz closed this in fad25c2 May 26, 2015
@golang golang locked and limited conversation to collaborators Jun 25, 2016
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
3 participants
You can’t perform that action at this time.