Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/tools/txtar: Parse can panic with slice bounds out of range #47193

Open
cor0ps opened this issue Jul 14, 2021 · 8 comments
Open

x/tools/txtar: Parse can panic with slice bounds out of range #47193

cor0ps opened this issue Jul 14, 2021 · 8 comments
Labels
NeedsFix The path to resolution is known, but the work has not been done. Tools This label describes issues relating to any tools in the x/tools repository.
Milestone
Unreleased

Comments

@cor0ps
Copy link

cor0ps commented Jul 14, 2021
edited

What version of Go are you using (go version)?

$ go version
go version go1.16.4 windows/amd64

Does this issue reproduce with the latest release?

yes,this is because golang.org/x/tools/txtar, all version maybe reproduce.

What operating system and processor architecture are you using (go env)?

go env Output
$ go env
set GO111MODULE=auto
set GOARCH=amd64
set GOBIN=
set GOCACHE=C:\Users\x\AppData\Local\go-build
set GOENV=C:\Users\x\AppData\Roaming\go\env
set GOEXE=.exe
set GOFLAGS=
set GOHOSTARCH=amd64
set GOHOSTOS=windows
set GOINSECURE=
set GOMODCACHE=C:\Users\xxx\go\pkg\mod
set GONOPROXY=
set GONOSUMDB=
set GOOS=windows
set GOPATH=C:\Users\
set GOPRIVATE=
set GOPROXY=
set GOROOT=D:\Program Files\Go
set GOSUMDB=sum.golang.org
set GOTMPDIR=
set GOTOOLDIR=
set GOVCS=
set GOVERSION=go1.16.4
set GCCGO=gccgo
set AR=ar
set CC=gcc
set CXX=g++
set CGO_ENABLED=1
set GOMOD=
set CGO_CFLAGS=-g -O2
set CGO_CPPFLAGS=
set CGO_CXXFLAGS=-g -O2
set CGO_FFLAGS=-g -O2
set CGO_LDFLAGS=-g -O2
set PKG_CONFIG=pkg-config

What did you do?

https://play.golang.org/p/b-471BZeL9y

What did you expect to see?

program run ok

What did you see instead?

panic: runtime error: slice bounds out of range [3:2]

because reason is: strings.TrimSpace(string(data[len(marker) : len(data)-len(markerEnd)]))

len(marker)==3
len(data)-len(markerEnd)==2

maybe this have fix bugs match marker and markerEnd shoud not duplicate!!!
@mdlayher mdlayher changed the title golang.org/x/tools/txtar Parse has slice bounds out of range x/tools/txtar: Parse has slice bounds out of range Jul 14, 2021
@gopherbot gopherbot added the Tools This label describes issues relating to any tools in the x/tools repository. label Jul 14, 2021
@gopherbot gopherbot added this to the Unreleased milestone Jul 14, 2021
@cherrymui cherrymui added the NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. label Jul 14, 2021
@cherrymui
Copy link
Member

cc @jayconrod @bcmills @matloob

@cherrymui cherrymui changed the title x/tools/txtar: Parse has slice bounds out of range x/tools/txtar: Parse can panic with slice bounds out of range Jul 14, 2021
@jayconrod jayconrod added the NeedsFix The path to resolution is known, but the work has not been done. label Jul 14, 2021
@gopherbot gopherbot removed the NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. label Jul 14, 2021
@jayconrod
Copy link
Contributor

Reproduced. The file name in this example is empty. txtar.Parse cannot return an error, so it should probably not treat that line as a file separator.

@cor0ps
Copy link
Author

cor0ps commented Jul 16, 2021

Reproduced. The file name in this example is empty. txtar.Parse cannot return an error, so it should probably not treat that line as a file separator.

Hello ,Can I submit a CVE for this issues?

@jayconrod
Copy link
Contributor

@cor0ps This doesn't appear to be a security vulnerability so I don't think there's any sense in opening a CVE.

If you think an issue is a security vulnerability, please report it to security@golang.org instead of the public issue tracker.

@gopherbot
Copy link

Change https://golang.org/cl/335270 mentions this issue: cmd/go: update txtar.Parse to ignore invalid file separators

@gopherbot
Copy link

Change https://golang.org/cl/336932 mentions this issue: txtar/archive: ignore invalid file separators

gopherbot pushed a commit to golang/tools that referenced this issue Jul 26, 2021
txtar/archive: ignore invalid file separators
ebce39e 
In case the file separator line does not define a filename, it should be
ignored.

Updates golang/go#47193

Change-Id: I3a0fee584c0f6b2b41814e79d20884d6468a3b76
Reviewed-on: https://go-review.googlesource.com/c/tools/+/336932
Run-TryBot: Jay Conrod <jayconrod@google.com>
gopls-CI: kokoro <noreply+kokoro@google.com>
Reviewed-by: Jay Conrod <jayconrod@google.com>
Trust: Jay Conrod <jayconrod@google.com>
Trust: Michael Matloob <matloob@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
@gopherbot
Copy link

Change https://golang.org/cl/337352 mentions this issue: [dev.cmdgo] cmd: update x/tools and remove copy of txtar

gopherbot pushed a commit that referenced this issue Aug 6, 2021
[dev.cmdgo] cmd: update x/tools and remove copy of txtar
fc8e0cb 
golang.org/x/tools/txtar is the main location for this package. We
don't need our own copy.

Also, update cmd/vet tests for compatibility with CL 301949.

For #47193

Change-Id: I480eb591f57a0d05b433a657653e2021e39354eb
Reviewed-on: https://go-review.googlesource.com/c/go/+/337352
Trust: Jay Conrod <jayconrod@google.com>
Run-TryBot: Jay Conrod <jayconrod@google.com>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Bryan C. Mills <bcmills@google.com>
@WillAbides WillAbides mentioned this issue Aug 11, 2021
Merged
@gopherbot
Copy link

Change https://golang.org/cl/341937 mentions this issue: cmd: update x/tools and remove copy of txtar

gopherbot pushed a commit that referenced this issue Aug 16, 2021
cmd: update x/tools and remove copy of txtar
54ce879 
golang.org/x/tools/txtar is the main location for this package. We
don't need our own copy.

For #47193

Change-Id: I480eb591f57a0d05b433a657653e2021e39354eb
Reviewed-on: https://go-review.googlesource.com/c/go/+/337352
Trust: Jay Conrod <jayconrod@google.com>
Run-TryBot: Jay Conrod <jayconrod@google.com>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Bryan C. Mills <bcmills@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/341937
@ZekeLu ZekeLu mentioned this issue Jun 21, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
NeedsFix The path to resolution is known, but the work has not been done. Tools This label describes issues relating to any tools in the x/tools repository.
Projects
None yet
Milestone
Unreleased
Development

No branches or pull requests
4 participants
@jayconrod @gopherbot @cor0ps @cherrymui