search

golang / go

The Go programming language
https://go.dev
BSD 3-Clause "New" or "Revised" License
122.13k stars 17.45k forks source link

index/suffixarray: panic: runtime error: index out of range #53352

Open catenacyber opened 2 years ago

catenacyber commented 2 years ago

What version of Go are you using (go version)?

$ go version
go version go1.17.6 darwin/amd64

Does this issue reproduce with the latest release?

Yes

What operating system and processor architecture are you using (go env)?

go env Output
$ go env
GO111MODULE=""
GOARCH="amd64"
GOBIN=""
GOCACHE="/Users/catena/Library/Caches/go-build"
GOENV="/Users/catena/Library/Application Support/go/env"
GOEXE=""
GOEXPERIMENT=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="darwin"
GOINSECURE=""
GOMODCACHE="/Users/catena/go/pkg/mod"
GONOPROXY=""
GONOSUMDB=""
GOOS="darwin"
GOPATH="/Users/catena/go"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/usr/local/go"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/local/go/pkg/tool/darwin_amd64"
GOVCS=""
GOVERSION="go1.17.6"
GCCGO="gccgo"
AR="ar"
CC="clang"
CXX="clang++"
CGO_ENABLED="1"
GOMOD="/Users/catena/go/src/github.com/catenacyber/go/src/go.mod"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -arch x86_64 -m64 -pthread -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -fdebug-prefix-map=/var/folders/pp/dc1dtf9x2js3v0jx_m010nqr0000gn/T/go-build4237848497=/tmp/go-build -gno-record-gcc-switches -fno-common"
GOROOT/bin/go version: go version go1.17.6 darwin/amd64
GOROOT/bin/go tool compile -V: compile version go1.17.6
uname -v: Darwin Kernel Version 21.3.0: Wed Jan  5 21:37:58 PST 2022; root:xnu-8019.80.24~20/RELEASE_X86_64
ProductName:    macOS
ProductVersion: 12.2.1
BuildVersion:   21D62
lldb --version: lldb-1316.0.9.41
Apple Swift version 5.6 (swiftlang-5.6.0.323.62 clang-1316.0.20.8)
gdb --version: GNU gdb (GDB) 9.1

What did you do?

https://go.dev/play/p/Gk-DGnODS1Y

Another variant https://go.dev/play/p/sr0X0MsAcQ0

ends with panic: runtime error: slice bounds out of range [10:1]

What did you expect to see?

The program finishing and printing Hello

What did you see instead?

panic: runtime error: index out of range [25] with length 25

goroutine 1 [running]:
index/suffixarray.(*ints).set(...)
    /usr/local/go-faketime/src/index/suffixarray/suffixarray.go:61
index/suffixarray.readSlice({0x4bd108, 0xc0000a01e0}, {0xc0000c4000, 0x4000, 0x4000}, {{0xc0000ca000, 0x19, 0x19}, {0x0, 0x0, ...}})
    /usr/local/go-faketime/src/index/suffixarray/suffixarray.go:145 +0x290
index/suffixarray.(*Index).Read(0xc0000be000, {0x4bd108, 0xc0000a01e0})
    /usr/local/go-faketime/src/index/suffixarray/suffixarray.go:195 +0x432
main.main()
    /tmp/sandbox4264139982/prog.go:13 +0xf3

Program exited.

Found by https://github.com/catenacyber/ngolo-fuzzing on oss-fuzz https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47954

cf #52120 but there is no error to be caught here, right ?

gopherbot commented 2 years ago

Change https://go.dev/cl/411995 mentions this issue: index/suffixarray: fix index out of range when reading malformed indexes

foadmom commented 2 years ago

I think, the code fails because index.Read uses binary.Varint(buf) to calculate the length of the io.Reader's buffer by reading the first 10 bytes as if the first 10 bytes of the buffer contain the length of the buffer. it is a shame that io.Reader has no calls to return the buffer so the len can be called against the io.Reader's buffer. On the other hand i might have misunderstood the code completely.