go/version: slice bounds out of range in Lang (only at tip)

[catenacyber]

What version of Go are you using (go version)?

$ go version
go version go1.21 linux/amd64

Does this issue reproduce with the latest release?

It happens only on gotip, not on go 1.21

What operating system and processor architecture are you using (go env)?

go env Output

$ go env
GO111MODULE=""
GOARCH="amd64"
GOBIN=""
GOCACHE="/root/.cache/go-build"
GOENV="/root/.config/go/env"
GOEXE=""
GOEXPERIMENT=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOINSECURE=""
GOMODCACHE="/root/go/pkg/mod"
GONOPROXY=""
GONOSUMDB=""
GOOS="linux"
GOPATH="/root/go"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/root/.go"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/root/.go/pkg/tool/linux_amd64"
GOVCS=""
GOVERSION="go1.21"
GCCGO="gccgo"
GOAMD64="v1"
AR="ar"
CC="clang"
CXX="clang++"
CGO_ENABLED="1"
GOMOD="/src/ngolo-fuzzing/go.mod"
GOWORK=""
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fno-caret-diagnostics -Qunused-arguments -Wl,--no-gc-sections -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build2481516251=/tmp/go-build -gno-record-gcc-switches"

What did you do?

Run https://go.dev/play/p/Y_28F1xBFWu?v=gotip
ie version.Lang("go222")

What did you expect to see?

The program finishing and printing Hello

What did you see instead?

panic: runtime error: slice bounds out of range [:7] with length 5

goroutine 1 [running]:
go/version.Lang({0x494c74, 0x5})
	/usr/local/go-faketime/src/go/version/version.go:36 +0x7a
main.main()
	/tmp/sandbox1087001645/prog.go:11 +0x1f

Program exited.

Found by https://github.com/catenacyber/ngolo-fuzzing with oss-fuzz :
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=64002

[mateusz834]

This happens, because gover.Lang(stripGo("go222")) returns "go222.0".

This will fix the issue:

func Lang(x string) string {
	v := gover.Lang(stripGo(x))
	if v == "" {
		return ""
	}
+       if len(x) < 2+len(v) {
+		return "go" + v
+	}
	return x[:2+len(v)] // "go"+v without allocation
}

It does not panic for "go1", because of this:

go/src/internal/gover/gover.go

Lines 85 to 87 in 1cc19e5

	if v.Minor == "" || v.Major == "1" && v.Minor == "0" {
	return v.Major
	}

and v.Minor is never "", because of

go/src/internal/gover/gover.go

Lines 103 to 112 in 1cc19e5

	v.Major, x, ok = cutInt(x)
	if !ok {
	return Version{}
	}
	if x == "" {
	// Interpret "1" as "1.0.0".
	v.Minor = "0"
	v.Patch = "0"
	return v
	}

This might also fix the issue, but differently. This should for "go222" return "go222" instead of "go222.0".

// Lang returns the Go language version. For example, Lang("1.2.3") == "1.2".
func Lang(x string) string {
	v := Parse(x)
-	if v.Minor == "" || v.Major == "1" && v.Minor == "0" {
+	if v.Minor == "" || v.Minor == "0" {
		return v.Major
	}
	return v.Major + "." + v.Minor
}

I am not sending a CL, because I am not sure which way this should be handled.

[mateusz834]

CC @rsc

[gopherbot]

Change https://go.dev/cl/541915 mentions this issue: gover: support Semantic Versioning major versions beyond 1

[bcmills]

I believe this is fixed by https://go.dev/cl/541915.

[catenacyber]

Looks fixed indeed on my side