Unhandled panic when reading RAR

[rgmz]

Please review the Community Note before submitting

TruffleHog Version

3.63.7

Description

Rar archives can cause an unhandled panic. This can be reliably reproduced by scanning microsoft/RecursiveExtractor. The specific reproducer is likely EncryptedWithPlainNames.rar4, although I haven't tested it yet.

panic: runtime error: index out of range [0] with length 0

goroutine 591 [running]:
github.com/nwaples/rardecode/v2.(*subAllocator).contextSetNumStates(...)
        /home/user/go/pkg/mod/github.com/nwaples/rardecode/v2@v2.0.0-beta.2/ppm_model.go:453
github.com/nwaples/rardecode/v2.(*subAllocator).newContextSize(0xc004a5e048, 0x100)
        /home/user/go/pkg/mod/github.com/nwaples/rardecode/v2@v2.0.0-beta.2/ppm_model.go:444 +0xda
github.com/nwaples/rardecode/v2.(*model).restart(0xc004a5e000)
        /home/user/go/pkg/mod/github.com/nwaples/rardecode/v2@v2.0.0-beta.2/ppm_model.go:583 +0x125
github.com/nwaples/rardecode/v2.(*model).ReadByte(0xc004a5e000)
        /home/user/go/pkg/mod/github.com/nwaples/rardecode/v2@v2.0.0-beta.2/ppm_model.go:1030 +0x25
github.com/nwaples/rardecode/v2.(*ppm29Decoder).fill(0xc004a5e000, 0xc001a88820)
        /home/user/go/pkg/mod/github.com/nwaples/rardecode/v2@v2.0.0-beta.2/decode29_ppm.go:93 +0x3f
github.com/nwaples/rardecode/v2.(*decoder29).fill(0xc0042089c0, 0xc001a88820)
        /home/user/go/pkg/mod/github.com/nwaples/rardecode/v2@v2.0.0-beta.2/decode29.go:239 +0x85
github.com/nwaples/rardecode/v2.(*decodeReader).fill(0xc001a88820)
        /home/user/go/pkg/mod/github.com/nwaples/rardecode/v2@v2.0.0-beta.2/decode_reader.go:188 +0x7e
github.com/nwaples/rardecode/v2.(*decodeReader).bytes(0xc001a88820)
        /home/user/go/pkg/mod/github.com/nwaples/rardecode/v2@v2.0.0-beta.2/decode_reader.go:255 +0x2e
github.com/nwaples/rardecode/v2.(*decodeReader).Read(0xc001a88820, {0xc0042801c0, 0x4, 0xc002fbb590?})
        /home/user/go/pkg/mod/github.com/nwaples/rardecode/v2@v2.0.0-beta.2/decode_reader.go:301 +0x38
github.com/nwaples/rardecode/v2.(*limitedReader).Read(0xc004917020, {0xc0042801c0?, 0x10?, 0x10?})
        /home/user/go/pkg/mod/github.com/nwaples/rardecode/v2@v2.0.0-beta.2/reader.go:260 +0x49
github.com/nwaples/rardecode/v2.(*checksumReader).Read(0xc004917050, {0xc0042801c0, 0x48?, 0x4})
        /home/user/go/pkg/mod/github.com/nwaples/rardecode/v2@v2.0.0-beta.2/reader.go:306 +0x31
github.com/nwaples/rardecode/v2.(*Reader).Read(0xc001a21580?, {0xc0042801c0?, 0x4?, 0x4?})
        /home/user/go/pkg/mod/github.com/nwaples/rardecode/v2@v2.0.0-beta.2/reader.go:346 +0x58
github.com/mholt/archiver/v4.(*rewindReader).Read(0xc004916f90, {0xc0042801c0?, 0xc00234c6a8?, 0x4})
        /home/user/go/pkg/mod/github.com/mholt/archiver/v4@v4.0.0-alpha.8/formats.go:324 +0x145
io.ReadAtLeast({0x3d53120, 0xc004916f90}, {0xc0042801c0, 0x4, 0x4}, 0x4)
        /home/user/sdk/go1.21.0/src/io/io.go:335 +0x90
io.ReadFull(...)
        /home/user/sdk/go1.21.0/src/io/io.go:354
github.com/mholt/archiver/v4.readAtMost({0x3d53120, 0xc004916f90}, 0x4)
        /home/user/go/pkg/mod/github.com/mholt/archiver/v4@v4.0.0-alpha.8/formats.go:137 +0x73
github.com/mholt/archiver/v4.Lz4.Match({0xc00007aa00?}, {0x0?, 0x4139e9?}, {0x3d53120, 0xc004916f90})
        /home/user/go/pkg/mod/github.com/mholt/archiver/v4@v4.0.0-alpha.8/lz4.go:31 +0x58
github.com/mholt/archiver/v4.identifyOne({0x3d64518?, 0x5963120?}, {0x0?, 0xc00234ca38?}, 0x221897f?, {0x0?, 0x0?})
        /home/user/go/pkg/mod/github.com/mholt/archiver/v4@v4.0.0-alpha.8/formats.go:117 +0x1d8
github.com/mholt/archiver/v4.Identify({0x0, 0x0}, {0x7f1f256f8ea0?, 0xc001584a60?})
        /home/user/go/pkg/mod/github.com/mholt/archiver/v4@v4.0.0-alpha.8/formats.go:51 +0x1a5
github.com/trufflesecurity/trufflehog/v3/pkg/handlers.(*Archive).openArchive(0xc00140a330, {0x3d88920?, 0xc004916ea0}, 0x1, {0x7f1f256f8ea0, 0xc001584a60}, 0xc004208900)
        /home/user/dev/trufflehog/pkg/handlers/archive.go:108 +0xcc
github.com/trufflesecurity/trufflehog/v3/pkg/handlers.(*Archive).openArchive.(*Archive).extractorHandler.func1({0x7f1f243c01a0, 0xc004916ea0}, {{0x3d8d590, 0xc00082c620}, {0x2eff4a0, 0xc00082c620}, {0xc004280198, 0x7}, {0x0, 0x0}, ...})
        /home/user/dev/trufflehog/pkg/handlers/archive.go:222 +0x3ee
github.com/mholt/archiver/v4.Rar.Extract({0x0?, {0x0?, 0x0?}}, {0x7f1f243c01a0, 0xc004916ea0}, {0x3d4ff80?, 0xc0018e1b90?}, {0x0, 0x0, 0x0}, ...)
        /home/user/go/pkg/mod/github.com/mholt/archiver/v4@v4.0.0-alpha.8/rar.go:108 +0x49e
github.com/trufflesecurity/trufflehog/v3/pkg/handlers.(*Archive).openArchive(0xc00140a330, {0x3d88920?, 0xc004916bd0}, 0x0, {0x3d4ff80, 0xc0018e1b90}, 0xc004208900)
        /home/user/dev/trufflehog/pkg/handlers/archive.go:129 +0x496
github.com/trufflesecurity/trufflehog/v3/pkg/handlers.(*Archive).FromFile.func1()
        /home/user/dev/trufflehog/pkg/handlers/archive.go:87 +0x1c5
created by github.com/trufflesecurity/trufflehog/v3/pkg/handlers.(*Archive).FromFile in goroutine 87
        /home/user/dev/trufflehog/pkg/handlers/archive.go:82 +0x105

References

Might be related to #801

[rgmz]

Another occurrence:

2024-04-24T12:13:06Z    error   trufflehog      Panic occurred when reading archive     {"source_manager_worker_id": "CpAT5", "repo": "https://github.com/brave/chromium-releases.git", "commit": "14e60b3", "path": "chrome/test/data/safe_browsing/rar/passwd.rar", "timeout": 30, "error": "runtime error: index out of range [0] with length 0"}