bug: RawTag.UnmarshalCBOR() panic with truncated tag

[thomas-fossati]

What version of fxamacker/cbor are you using?

v2.7.0

Does this issue reproduce with the latest release?

I haven’t tested.

What OS and CPU architecture are you using (go env)?

$ go env

GO111MODULE=''
GOARCH='arm64'
GOBIN=''
GOCACHE='/Users/tho/Library/Caches/go-build'
GOENV='/Users/tho/Library/Application Support/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFLAGS=''
GOHOSTARCH='arm64'
GOHOSTOS='darwin'
GOINSECURE=''
GOMODCACHE='/Users/tho/go/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='darwin'
GOPATH='/Users/tho/go'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/usr/local/go'
GOSUMDB='sum.golang.org'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/usr/local/go/pkg/tool/darwin_arm64'
GOVCS=''
GOVERSION='go1.23.0'
GODEBUG=''
GOTELEMETRY='local'
GOTELEMETRYDIR='/Users/tho/Library/Application Support/go/telemetry'
GCCGO='gccgo'
GOARM64='v8.0'
AR='ar'
CC='clang'
CXX='clang++'
CGO_ENABLED='1'
GOMOD='/Users/tho/Code/github.com/veraison/cmw/go.mod'
GOWORK=''
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'
GOGCCFLAGS='-fPIC -arch arm64 -pthread -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -ffile-prefix-map=/var/folders/st/1wblnvg95bg4p9hnzc6dwjzh0000gn/T/go-build1346977790=/tmp/go-build -gno-record-gcc-switches -fno-common'

What did you do?

{
    var v cbor.RawTag

    truncatedTag := []byte{0xda}

    err := v.UnmarshalCBOR(truncatedTag)

    checkErr(err)
}
  

What did you expect to see?

An error from UnmarshalCBOR

What did you see instead?

The following panic trace:

panic: runtime error: slice bounds out of range [:5] with capacity 1 [recovered]
	panic: runtime error: slice bounds out of range [:5] with capacity 1

panic({0x102b34b00?, 0x140000b61c8?})
	/usr/local/go/src/runtime/panic.go:785 +0x124
github.com/fxamacker/cbor/v2.(*decoder).getHead(0x140000fbaa8?)
	/Users/tho/go/pkg/mod/github.com/fxamacker/cbor/v2@v2.7.0/decode.go:2921 +0x1cc
github.com/fxamacker/cbor/v2.(*RawTag).UnmarshalCBOR(0x140000fbac8, {0x140000fbac7?, 0x140000fbad8?, 0x10291cd5c?})
	/Users/tho/go/pkg/mod/github.com/fxamacker/cbor/v2@v2.7.0/tag.go:39 +0x88
[...]

[fxamacker]

@thomas-fossati Thanks for reporting this!

I will look into it this weekend (today after 7 PM Central due to meetings).

[fxamacker]

Thanks again for opening this issue!

Basically, RawTag.UnmarshalCBOR() is intended to be called by the codec internally and the codec checks for malformed data before calling it.

However, the function is exported, so it cannot assume it will only be used internally by the codec after input data is checked for well-formedness.

To resolve this, I opened PR #636 to update RawTag.UnmarshalCBOR() to match the error handling already done by cbor.Unmarshal(). So they will return same error (and not panic) when user apps provide malformed input data to RawTag.UnmarshalCBOR().

The PR also applies same update to ByteString.UnmarshalCBOR() and SimpleValue.UnmarshalCBOR().

Fuzzer needed to be updated and fuzzing was very brief so far (as of Sunday, March 16), so I'm fuzzing for longer duration before tagging v2.7.1.

[thomas-fossati]

@fxamacker, thanks very much for the exhaustive explainer and the super-quick fix. Much appreciated!

[fxamacker]

Closed by PRs #636 in release-2.7 branch and ported by #645 to main branch. Both passed fuzz tests.