From c2fe4a0ea1cd926c4e8af5042a9e21a1c2abcb89 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?H=C3=A5vard=20Haugen?= <havard.haugen@gmail.com>
Date: Thu, 28 May 2015 13:48:47 +0200
Subject: [PATCH] archive/tar: terminate when reading malformed sparse files

Fixes #10968.

Change-Id: I027bc571a71629ac49c2a0ff101b2950af6e7531
Reviewed-on: https://go-review.googlesource.com/10482
Reviewed-by: David Symonds <dsymonds@golang.org>
Run-TryBot: David Symonds <dsymonds@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
---
 src/archive/tar/reader.go               |   3 +++
 src/archive/tar/reader_test.go          |  19 +++++++++++++++++++
 src/archive/tar/testdata/issue10968.tar | Bin 0 -> 512 bytes
 3 files changed, 22 insertions(+)
 create mode 100644 src/archive/tar/testdata/issue10968.tar

diff --git a/src/archive/tar/reader.go b/src/archive/tar/reader.go
index cd23fb57d6..ae0b97e840 100644
--- a/src/archive/tar/reader.go
+++ b/src/archive/tar/reader.go
@@ -791,6 +791,9 @@ func (sfr *sparseFileReader) Read(b []byte) (n int, err error) {
 		// Otherwise, we're at the end of the file
 		return 0, io.EOF
 	}
+	if sfr.tot < sfr.sp[0].offset {
+		return 0, io.ErrUnexpectedEOF
+	}
 	if sfr.pos < sfr.sp[0].offset {
 		// We're in a hole
 		n = sfr.readHole(b, sfr.sp[0].offset)
diff --git a/src/archive/tar/reader_test.go b/src/archive/tar/reader_test.go
index ab1e8445a4..6ffb383a22 100644
--- a/src/archive/tar/reader_test.go
+++ b/src/archive/tar/reader_test.go
@@ -757,3 +757,22 @@ func TestNegativeHdrSize(t *testing.T) {
 	}
 	io.Copy(ioutil.Discard, r)
 }
+
+// This used to hang in (*sparseFileReader).readHole due to missing
+// verification of sparse offsets against file size.
+func TestIssue10968(t *testing.T) {
+	f, err := os.Open("testdata/issue10968.tar")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer f.Close()
+	r := NewReader(f)
+	_, err = r.Next()
+	if err != nil {
+		t.Fatal(err)
+	}
+	_, err = io.Copy(ioutil.Discard, r)
+	if err != io.ErrUnexpectedEOF {
+		t.Fatalf("expected %q, got %q", io.ErrUnexpectedEOF, err)
+	}
+}
diff --git a/src/archive/tar/testdata/issue10968.tar b/src/archive/tar/testdata/issue10968.tar
new file mode 100644
index 0000000000000000000000000000000000000000..1cc837bcff14cd822a26e43034955c82e852ab29
GIT binary patch
literal 512
zcmbVI!41MN47Ah*kg@;^fX)>lI!AWsgI^V-_Q4}k$6}2x&>iv*cG6Oc`at9n#lG|1
zIi>(iak!RTol#boyD`0c^v(cHJJuvHh-e39;{t(!nc@gWsV;O@FkUc{-h`pC817Ix
zgh|QIatu;A!G^JZ7UC1V_vGb4bURuTWAy6SS-Fx(D=wcI#QP1Y#wzX?HAf0_+~lp>
yN?iGbw2JFgJjd0vnp9WIo>K3V$tfee6;KE|`1A3J$tp?9B&Y7`+Gwrtzls-lP-;g2

literal 0
HcmV?d00001