Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG]: slice bounds out of range on glob/match #56

Open
secsys-go opened this issue Jul 12, 2022 · 0 comments
Open

[BUG]: slice bounds out of range on glob/match #56

secsys-go opened this issue Jul 12, 2022 · 0 comments

Comments

@secsys-go
Copy link

This bug occurs when the glob.Glob has a matcher which is empty and its length is 0.
In detail, the crash locates in glob/match/raw.go:(self Row) matchAll(s string) bool:

func (self Row) matchAll(s string) bool {
	var idx int
	for _, m := range self.Matchers {
		length := m.Len()

		var next, i int
		for next = range s[idx:] {
			i++
			if i == length {
				break
			}
		}

		if i < length || !m.Match(s[idx:idx+next+1]) {
			return false
		}

		idx += next + 1
	}

	return true
}

If length is 0 and s meets the end, the function won't return by the condition i < length and it will crashed at s[idx:idx+next+1]

The PoC is here:

package main

import (
	"strings"

	"github.com/gobwas/glob"
)
// IndexerGlobFromString parses a comma separated list of patterns and returns a glob.Glob slice suited for repo indexing
func IndexerGlobFromString(globstr string) []glob.Glob {
	extarr := make([]glob.Glob, 0, 10)
	for _, expr := range strings.Split(strings.ToLower(globstr), ",") {
		expr = strings.TrimSpace(expr)
		if expr != "" {
			if g, err := glob.Compile(expr, '.', '/'); err == nil {
				extarr = append(extarr, g)
			}
		}
	}
	return extarr
}

func main() {
	pocstr := "0{" // this string is designed to make the second matcher of g is empty
	g := IndexerGlobFromString(pocstr)[0]
	// the second matcher of g is empty, and its length is 0
	g.Match("0")
}

It will crash as:

panic: runtime error: slice bounds out of range [:2] with length 1

goroutine 1 [running]:
github.com/gobwas/glob/match.Row.matchAll({{0xc0001b6020, 0x2, 0x2}, 0x1, {0xc0001b0090, 0x1, 0x1}}, {0x4d2ca9, 0x1})
	/home/zjx/workspace/gowork/pkg/mod/github.com/gobwas/glob@v0.2.3/match/row.go:34 +0x34f
github.com/gobwas/glob/match.Row.Match({{0xc0001b6020, 0x2, 0x2}, 0x1, {0xc0001b0090, 0x1, 0x1}}, {0x4d2ca9, 0x1})
	/home/zjx/workspace/gowork/pkg/mod/github.com/gobwas/glob@v0.2.3/match/row.go:56 +0xe9
main.main()
	/home/zjx/workspace/gowork/src/go-fdg-exmaples/gitea/modules/setting/pocTest_newIndexerGlobSettings/main.go:27 +0x7c
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@secsys-go