From c69c5c62775d84aa56a43bedaa4fcacbb73d403d Mon Sep 17 00:00:00 2001 From: Damien Neil Date: Tue, 14 May 2024 14:39:10 -0700 Subject: [PATCH] [Backport] archive/zip: treat truncated EOCDR comment as an error CVE: CVE-2024-24789 Reference: https://go-review.googlesource.com/c/go/+/588796 When scanning for an end of central directory record, treat an EOCDR signature with a record containing a truncated comment as an error. Previously, we would skip over the invalid record and look for another one. Other implementations do not do this (they either consider this a hard error, or just ignore the truncated comment). This parser misalignment allowed presenting entirely different archive contents to Go programs and other zip decoders. For #66869 Fixes #67554 Fixes CVE-2024-24789 Change-Id: I94e5cb028534bb5704588b8af27f1e22ea49c7c6 Reviewed-on: https://go-review.googlesource.com/c/go/+/585397 Reviewed-by: Joseph Tsai Reviewed-by: Dmitri Shuralyov LUCI-TryBot-Result: Go LUCI (cherry picked from commit 33d725e5758bf1fea62e6c77fc70b57a828a49f5) Reviewed-on: https://go-review.googlesource.com/c/go/+/588796 Reviewed-by: Matthew Dempsky Signed-off-by: Ma Chang Wang machangwang@huawei.com --- src/archive/zip/reader.go | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/src/archive/zip/reader.go b/src/archive/zip/reader.go index 1fde1decc4..20356bde0e 100644 --- a/src/archive/zip/reader.go +++ b/src/archive/zip/reader.go @@ -699,9 +699,13 @@ func findSignatureInBlock(b []byte) int { if b[i] == 'P' && b[i+1] == 'K' && b[i+2] == 0x05 && b[i+3] == 0x06 { // n is length of comment n := int(b[i+directoryEndLen-2]) | int(b[i+directoryEndLen-1])<<8 - if n+directoryEndLen+i <= len(b) { - return i + if n+directoryEndLen+i > len(b) { + // Truncated comment. + // Some parsers (such as Info-ZIP) ignore the truncated comment + // rather than treating it as a hard error. + return -1 } + return i } } return -1 -- 2.33.0