ValueError in TarFile.getmembers

[jvoisin]

BPO	39062
Nosy	@terryjreedy, @gustaebel, @serhiy-storchaka
Files	crash-7221297307ab37ac87be6ea6dd9b28d4d453c557aa3da8a2138ab98e015cd42a

^{Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.}

Show more details

GitHub fields:

assignee = None
closed_at = None
created_at = <Date 2019-12-16.10:43:36.117>
labels = ['3.7', 'type-bug', 'library']
title = 'ValueError in TarFile.getmembers'
updated_at = <Date 2019-12-23.16:45:45.204>
user = 'https://bugs.python.org/jvoisin'

bugs.python.org fields:

activity = <Date 2019-12-23.16:45:45.204>
actor = 'jvoisin'
assignee = 'none'
closed = False
closed_date = None
closer = None
components = ['Library (Lib)']
creation = <Date 2019-12-16.10:43:36.117>
creator = 'jvoisin'
dependencies = []
files = ['48781']
hgrepos = []
issue_num = 39062
keywords = []
message_count = 5.0
messages = ['358472', '358737', '358738', '358739', '358827']
nosy_count = 4.0
nosy_names = ['terry.reedy', 'lars.gustaebel', 'serhiy.storchaka', 'jvoisin']
pr_nums = []
priority = 'normal'
resolution = None
stage = None
status = 'open'
superseder = None
type = 'behavior'
url = 'https://bugs.python.org/issue39062'
versions = ['Python 3.7']

[jvoisin]

The attached file produces the following stacktrace when opened via tarfile.open and iterated with TarFile.getmembers, on Python 3.7.5rc1:

$ cat tarrepro.py
import tarfile
import sys

with tarfile.open(sys.argv[1]) as t:
  for member in t.getmembers():
    pass

$ python3 tarrepro.py crash-7221297307ab37ac87be6ea6dd9b28d4d453c557aa3da8a2138ab98e015cd42a
Traceback (most recent call last):
  File "tarrepro.py", line 5, in <module>
    for member in t.getmembers():
  File "/usr/lib/python3.7/tarfile.py", line 1763, in getmembers
    self._load()        # all members, we first have to
  File "/usr/lib/python3.7/tarfile.py", line 2350, in _load
    tarinfo = self.next()
  File "/usr/lib/python3.7/tarfile.py", line 2281, in next
    self.fileobj.seek(self.offset - 1)
ValueError: cannot fit 'int' into an offset-sized integer

This file isn't a valid tar file, it was created by a fuzzer.

[terryjreedy]

See bpo-39065, bpo-39067 for similar tarfile issues.

[terryjreedy]

jvoisin, what do you consider to be the bug? Raising an exception is exactly the right thing to do on bad input. I leave it to others to decide if this should be closed as 'not a bug' or if the internal exception should be caught and replaced. We don't pretend to document all possible exception from all functions.

The more important aim of fuzzing is to find inputs that cause no-exception crashes.

[terryjreedy]

jvoisin, please consider rerunning such reproducers with lastest 3.8 and 3.9 before submitting. It is much easier for you to do so when you have the fuzz file, script, and command line already present.

[jvoisin]

Raising an except is ok, if it's documented, so I know which ones I should catch to prevent my program to quit when processing untrusted files, without having to catch Exception.

Reliability is important in my use-case as well, not only exploitable memory-corruption issues.

I'll try to reproduce future issues on more recent Python versions before reporting them :)