Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

x/tools/txtar: Parse can panic with slice bounds out of range #47193

Open
cor0ps opened this issue Jul 14, 2021 · 8 comments
Open

x/tools/txtar: Parse can panic with slice bounds out of range #47193

cor0ps opened this issue Jul 14, 2021 · 8 comments
Labels
NeedsFix Tools
Milestone

Comments

@cor0ps
Copy link

@cor0ps cor0ps commented Jul 14, 2021

What version of Go are you using (go version)?

$ go version
go version go1.16.4 windows/amd64

Does this issue reproduce with the latest release?

yes,this is because golang.org/x/tools/txtar, all version maybe reproduce.

What operating system and processor architecture are you using (go env)?

go env Output
$ go env
set GO111MODULE=auto
set GOARCH=amd64
set GOBIN=
set GOCACHE=C:\Users\x\AppData\Local\go-build
set GOENV=C:\Users\x\AppData\Roaming\go\env
set GOEXE=.exe
set GOFLAGS=
set GOHOSTARCH=amd64
set GOHOSTOS=windows
set GOINSECURE=
set GOMODCACHE=C:\Users\xxx\go\pkg\mod
set GONOPROXY=
set GONOSUMDB=
set GOOS=windows
set GOPATH=C:\Users\
set GOPRIVATE=
set GOPROXY=
set GOROOT=D:\Program Files\Go
set GOSUMDB=sum.golang.org
set GOTMPDIR=
set GOTOOLDIR=
set GOVCS=
set GOVERSION=go1.16.4
set GCCGO=gccgo
set AR=ar
set CC=gcc
set CXX=g++
set CGO_ENABLED=1
set GOMOD=
set CGO_CFLAGS=-g -O2
set CGO_CPPFLAGS=
set CGO_CXXFLAGS=-g -O2
set CGO_FFLAGS=-g -O2
set CGO_LDFLAGS=-g -O2
set PKG_CONFIG=pkg-config

What did you do?

https://play.golang.org/p/b-471BZeL9y

What did you expect to see?

program run ok

What did you see instead?

panic: runtime error: slice bounds out of range [3:2]

because reason is: strings.TrimSpace(string(data[len(marker) : len(data)-len(markerEnd)]))

len(marker)==3
len(data)-len(markerEnd)==2

maybe this have fix bugs match marker and markerEnd shoud not duplicate!!!

@mdlayher mdlayher changed the title golang.org/x/tools/txtar Parse has slice bounds out of range x/tools/txtar: Parse has slice bounds out of range Jul 14, 2021
@gopherbot gopherbot added the Tools label Jul 14, 2021
@gopherbot gopherbot added this to the Unreleased milestone Jul 14, 2021
@cherrymui cherrymui added the NeedsInvestigation label Jul 14, 2021
@cherrymui
Copy link
Contributor

@cherrymui cherrymui commented Jul 14, 2021

@cherrymui cherrymui changed the title x/tools/txtar: Parse has slice bounds out of range x/tools/txtar: Parse can panic with slice bounds out of range Jul 14, 2021
@jayconrod jayconrod added the NeedsFix label Jul 14, 2021
@gopherbot gopherbot removed the NeedsInvestigation label Jul 14, 2021
@jayconrod
Copy link
Contributor

@jayconrod jayconrod commented Jul 14, 2021

Reproduced. The file name in this example is empty. txtar.Parse cannot return an error, so it should probably not treat that line as a file separator.

@cor0ps
Copy link
Author

@cor0ps cor0ps commented Jul 16, 2021

Reproduced. The file name in this example is empty. txtar.Parse cannot return an error, so it should probably not treat that line as a file separator.

Hello ,Can I submit a CVE for this issues?

@jayconrod
Copy link
Contributor

@jayconrod jayconrod commented Jul 16, 2021

@cor0ps This doesn't appear to be a security vulnerability so I don't think there's any sense in opening a CVE.

If you think an issue is a security vulnerability, please report it to security@golang.org instead of the public issue tracker.

@gopherbot
Copy link

@gopherbot gopherbot commented Jul 17, 2021

Change https://golang.org/cl/335270 mentions this issue: cmd/go: update txtar.Parse to ignore invalid file separators

@gopherbot
Copy link

@gopherbot gopherbot commented Jul 23, 2021

Change https://golang.org/cl/336932 mentions this issue: txtar/archive: ignore invalid file separators

gopherbot pushed a commit to golang/tools that referenced this issue Jul 26, 2021
In case the file separator line does not define a filename, it should be
ignored.

Updates golang/go#47193

Change-Id: I3a0fee584c0f6b2b41814e79d20884d6468a3b76
Reviewed-on: https://go-review.googlesource.com/c/tools/+/336932
Run-TryBot: Jay Conrod <jayconrod@google.com>
gopls-CI: kokoro <noreply+kokoro@google.com>
Reviewed-by: Jay Conrod <jayconrod@google.com>
Trust: Jay Conrod <jayconrod@google.com>
Trust: Michael Matloob <matloob@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
@gopherbot
Copy link

@gopherbot gopherbot commented Jul 26, 2021

Change https://golang.org/cl/337352 mentions this issue: [dev.cmdgo] cmd: update x/tools and remove copy of txtar

gopherbot pushed a commit that referenced this issue Aug 6, 2021
golang.org/x/tools/txtar is the main location for this package. We
don't need our own copy.

Also, update cmd/vet tests for compatibility with CL 301949.

For #47193

Change-Id: I480eb591f57a0d05b433a657653e2021e39354eb
Reviewed-on: https://go-review.googlesource.com/c/go/+/337352
Trust: Jay Conrod <jayconrod@google.com>
Run-TryBot: Jay Conrod <jayconrod@google.com>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Bryan C. Mills <bcmills@google.com>
@gopherbot
Copy link

@gopherbot gopherbot commented Aug 12, 2021

Change https://golang.org/cl/341937 mentions this issue: cmd: update x/tools and remove copy of txtar

gopherbot pushed a commit that referenced this issue Aug 16, 2021
golang.org/x/tools/txtar is the main location for this package. We
don't need our own copy.

For #47193

Change-Id: I480eb591f57a0d05b433a657653e2021e39354eb
Reviewed-on: https://go-review.googlesource.com/c/go/+/337352
Trust: Jay Conrod <jayconrod@google.com>
Run-TryBot: Jay Conrod <jayconrod@google.com>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Bryan C. Mills <bcmills@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/341937
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
NeedsFix Tools
Projects
None yet
Development

No branches or pull requests

4 participants