Certain file causes panic upon unpack

[frewsxcv]

I tried running this library through afl.rs, and came across a panic:

Here is the file that is fed into stdin (this is base64 encoded, make sure to decode it before):

AAAAAHVzdGFyICAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADAwMDA3NTUAMDAwMTc1
MAAwMDAxNzUwADAwMDAwMDAwMDAwADEyNDQwMDIxNTc0ADAxMDY0NwAgNQAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB1c3RhciAgAG12ZDQyNTMAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAMDY0NwAgNQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

Code I used:

extern crate tar;

use std::io::{self, Read};
use std::path::Path;


fn main() {
    let mut input = String::new();
    let result = io::stdin().read_to_string(&mut input);
    if result.is_ok() {
        let mut a = tar::Archive::new(input.as_bytes());
        a.unpack(Path::new("/dev/null"));
    }
}

Output

root@afl-rust:~/afl-staging-area# cargo run --verbose < id\:000000\,sig\:04\,src\:000027\,op\:ext_AO\,pos\:268
       Fresh afl-coverage-plugin v0.0.1 (https://github.com/kmcallister/afl.rs#845bdff0)
       Fresh libc v0.1.7
       Fresh gcc v0.3.5
       Fresh afl-coverage v0.0.1 (https://github.com/kmcallister/afl.rs#845bdff0)
       Fresh tar v0.2.11 (file:///root/afl-staging-area)
       Fresh afl-staging-area v0.1.0 (file:///root/afl-staging-area)
     Running `target/debug/afl-staging-area`
thread '<main>' panicked at 'arithmetic operation overflowed', /root/tar-rs/src/lib.rs:167
stack backtrace:
   1:     0x7fac5db00e59 - sys::backtrace::write::hb34cb0734f7a3c97uhs
   2:     0x7fac5db044d1 - panicking::on_panic::h82f65b9161b1f8deGXw
   3:     0x7fac5dafbb62 - rt::unwind::begin_unwind_inner::h9f6dd38aeb9ea42dQCw
   4:     0x7fac5dafbdc7 - rt::unwind::begin_unwind_fmt::h44a1d6134651f778WBw
   5:     0x7fac5db03e26 - rust_begin_unwind
   6:     0x7fac5db35b84 - panicking::panic_fmt::h063af2dc79b71461c0B
   7:     0x7fac5db35604 - panicking::panic::ha74d34b97dbec983JYB
   8:     0x7fac5dadc226 - Archive<R>::unpack::h130850372175687317
                        at /root/tar-rs/src/lib.rs:172
   9:     0x7fac5dad7117 - main::h71d2ed005404877bkaa
                        at src/main.rs:17
  10:     0x7fac5db086b8 - rust_try_inner
  11:     0x7fac5db086a5 - rust_try
  12:     0x7fac5db05d23 - rt::lang_start::he6efc8b28021b078bSw
  13:     0x7fac5daf2be2 - main
  14:     0x7fac5d501a3f - __libc_start_main
  15:     0x7fac5dad6c08 - _start
  16:                0x0 - <unknown>
Process didn't exit successfully: `target/debug/afl-staging-area` (signal: 4)

tar-rs/src/lib.rs

Line 167 in 5830d58

let is_directory = bytes[bytes.len() - 1] == b'/';

is the line in particular it crashes on

[frewsxcv]

I wonder if rust-lang/rust#25300 will fix this

[alexcrichton]

Awesome, thanks! This kind of fuzzing seems to be paying off quite well!