Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

archive/zip: file with wrong checksum is successfully decompressed #11146

Closed
dvyukov opened this issue Jun 10, 2015 · 1 comment
Closed

archive/zip: file with wrong checksum is successfully decompressed #11146

dvyukov opened this issue Jun 10, 2015 · 1 comment
Assignees
Milestone

Comments

@dvyukov
Copy link
Member

@dvyukov dvyukov commented Jun 10, 2015

The following program crashes with the panic:

package main

import (
    "archive/zip"
    "bytes"
    "hash/crc32"
    "io/ioutil"
)

func main() {
    data := []byte("PK\x03\x040000000000000000" +
        "000000\x01\x00\x00\x000\x01\x00\x00\xff\xff0000" +
        "0000000000000000PK\x01\x02" +
        "0000\b0\b\x00000000000000" +
        "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x000000PK\x05\x06\x00\x00" +
        "\x00\x0000\x01\x0000008\x00\x00\x00\x00\x00")
    z, err := zip.NewReader(bytes.NewReader(data), int64(len(data)))
    if err != nil {
        panic(err)
    }
    for _, f := range z.File {
        r, err := f.Open()
        if err != nil {
            panic(err)
        }
        c, err := ioutil.ReadAll(r)
        if err != nil {
            panic(err)
        }
        if crc := crc32.ChecksumIEEE(c); crc != f.CRC32 {
            println(crc, f.CRC32)
            panic("bad checksum")
        }
        r.Close()
    }
}
0 808464432
panic: bad checksum

go version devel +b0532a9 Mon Jun 8 05:13:15 2015 +0000 linux/amd64

@ianlancetaylor ianlancetaylor added this to the Go1.5Maybe milestone Jun 10, 2015
@gopherbot
Copy link

@gopherbot gopherbot commented Jun 13, 2015

CL https://golang.org/cl/11070 mentions this issue.

@adg adg closed this in 48d865a Jun 14, 2015
@mikioh mikioh modified the milestones: Go1.5, Go1.5Maybe Jun 15, 2015
@golang golang locked and limited conversation to collaborators Jun 25, 2016
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
5 participants
You can’t perform that action at this time.