DHowett / go-plist

A pure Go Apple Property List transcoder
Other
416 stars 97 forks source link

text: address out-of-bounds panic in parseGNUStepValue #79

Closed TomSellers closed 1 year ago

TomSellers commented 1 year ago

This PR addresses a index out of range panic in parseGNUStepValue. This panic was identified as part of internal fuzzer based testing of our code.

Reproducer

package main

import (
    "bytes"

    "howett.net/plist"
)

func main() {
    data := []byte(`(plist versionGetValue<*B"">`)

    dec := plist.NewDecoder(bytes.NewReader(data))
    res := make(map[string]interface{})

    _ = dec.Decode(res)
}

Results

go run ./main.go

panic: runtime error: index out of range [0] with length 0 [recovered]
    panic: runtime error: index out of range [0] with length 0 [recovered]
    panic: runtime error: index out of range [0] with length 0

goroutine 1 [running]:
howett.net/plist.(*Decoder).Decode.func1()
    /Users/me/git/go-plist/decode.go:30 +0xac
panic({0x1023deaa0?, 0x14000116018?})
    /usr/local/go/src/runtime/panic.go:914 +0x218
howett.net/plist.(*textPlistParser).parseDocument.func1()
    /Users/me/git/go-plist/text_parser.go:74 +0xe0
panic({0x1023deaa0?, 0x14000116018?})
    /usr/local/go/src/runtime/panic.go:914 +0x218
howett.net/plist.(*textPlistParser).parseGNUStepValue(0x1400010aea0)
    /Users/me/git/go-plist/text_parser.go:460 +0x4e0
howett.net/plist.(*textPlistParser).parsePlistValue(0x1400010aea0)
    /Users/me/git/go-plist/text_parser.go:554 +0x17c
howett.net/plist.(*textPlistParser).parseArray(0x1400010aea0)
    /Users/me/git/go-plist/text_parser.go:399 +0xd4
howett.net/plist.(*textPlistParser).parsePlistValue(0x1400010aea0)
    /Users/me/git/go-plist/text_parser.go:567 +0x190
howett.net/plist.(*textPlistParser).parseDocument(0x1400010aea0)
    /Users/me/git/go-plist/text_parser.go:91 +0xa4
howett.net/plist.(*Decoder).Decode(0x14000140000, {0x1023d21e0, 0x140001101b0})
    /Users/me/git/go-plist/decode.go:58 +0x210
main.main()
    /Users/me/git/go-plist/cmd/crasher/main.go:15 +0xfc
exit status 2

I built a quick Fuzzer for Decode with a good test corpus in order to identify related bugs but nothing shook out in roughly an hour.

DHowett commented 1 year ago

Thanks for the fix, and for fuzzing go-plist! I'm only a little surprised gofuzz didn't catch it, but all the more grateful that somebody did. :smile:

TomSellers commented 1 year ago

Thanks for landing @DHowett Would it be possible to tag a new release that contains the fixes in this PR and #78?

DHowett commented 1 year ago

I'm so sorry I missed this. Yes, here's v1.0.1.