go-cid v0.7.6

Add fuzz tests, fix panic

.gitignore

@@ -0,0 +1 @@
+cid-fuzz.zip

.gx/lastpubver

@@ -1 +1 @@
-0.7.5: QmcEcrBAMrwMyhSjXt4yfyPpzgSuV8HLHavnfmiKCSRqZU
+0.7.6: QmX4hxL9LDFVpYtNfBEBgVSynRGsooVf4F8nrvJiCZuxqq

LICENSE

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2016 Protocol Labs, Inc.
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

cid.go

@@ -3,7 +3,9 @@ package cid
 import (
 	"bytes"
 	"encoding/binary"
+	"errors"
 	"fmt"
+	"strings"
 
 	mbase "github.com/multiformats/go-multibase"
 	mh "github.com/multiformats/go-multihash"
@@ -47,6 +49,24 @@ type Cid struct {
 	hash    mh.Multihash
 }
 
+func Parse(v interface{}) (*Cid, error) {
+	switch v2 := v.(type) {
+	case string:
+		if strings.Contains(v2, "/ipfs/") {
+			return Decode(strings.Split(v2, "/ipfs/")[1])
+		}
+		return Decode(v2)
+	case []byte:
+		return Cast(v2)
+	case mh.Multihash:
+		return NewCidV0(v2), nil
+	case *Cid:
+		return v2, nil
+	default:
+		return nil, fmt.Errorf("can't parse %+v as Cid", v2)
+	}
+}
+
 func Decode(v string) (*Cid, error) {
 	if len(v) < 2 {
 		return nil, fmt.Errorf("cid too short")
@@ -69,6 +89,23 @@ func Decode(v string) (*Cid, error) {
 	return Cast(data)
 }
 
+var (
+	ErrVarintBuffSmall = errors.New("reading varint: buffer to small")
+	ErrVarintTooBig    = errors.New("reading varint: varint bigger than 64bits" +
+		" and not supported")
+)
+
+func uvError(read int) error {
+	switch {
+	case read == 0:
+		return ErrVarintBuffSmall
+	case read < 0:
+		return ErrVarintTooBig
+	default:
+		return nil
+	}
+}
+
 func Cast(data []byte) (*Cid, error) {
 	if len(data) == 34 && data[0] == 18 && data[1] == 32 {
 		h, err := mh.Cast(data)
@@ -84,11 +121,18 @@ func Cast(data []byte) (*Cid, error) {
 	}
 
 	vers, n := binary.Uvarint(data)
+	if err := uvError(n); err != nil {
+		return nil, err
+	}
+
 	if vers != 0 && vers != 1 {
 		return nil, fmt.Errorf("invalid cid version number: %d", vers)
 	}
 
 	codec, cn := binary.Uvarint(data[n:])
+	if err := uvError(cn); err != nil {
+		return nil, err
+	}
 
 	rest := data[n+cn:]
 	h, err := mh.Cast(rest)
@@ -143,10 +187,14 @@ func (c *Cid) bytesV0() []byte {
 }
 
 func (c *Cid) bytesV1() []byte {
-	buf := make([]byte, 8+len(c.hash))
+	// two 8 bytes (max) numbers plus hash
+	buf := make([]byte, 2*binary.MaxVarintLen64+len(c.hash))
 	n := binary.PutUvarint(buf, c.version)
 	n += binary.PutUvarint(buf[n:], c.codec)
-	copy(buf[n:], c.hash)
+	cn := copy(buf[n:], c.hash)
+	if cn != len(c.hash) {
+		panic("copy hash length is inconsistent")
+	}
 
 	return buf[:n+len(c.hash)]
 }
@@ -221,7 +269,7 @@ func (p Prefix) Sum(data []byte) (*Cid, error) {
 }
 
 func (p Prefix) Bytes() []byte {
-	buf := make([]byte, 16)
+	buf := make([]byte, 4*binary.MaxVarintLen64)
 	n := binary.PutUvarint(buf, p.Version)
 	n += binary.PutUvarint(buf[n:], p.Codec)
 	n += binary.PutUvarint(buf[n:], uint64(p.MhType))

cid_fuzz.go

@@ -0,0 +1,37 @@
+// +build gofuzz
+
+package cid
+
+func Fuzz(data []byte) int {
+	cid, err := Cast(data)
+
+	if err != nil {
+		return 0
+	}
+
+	_ = cid.Bytes()
+	_ = cid.String()
+	p := cid.Prefix()
+	_ = p.Bytes()
+
+	if !cid.Equals(cid) {
+		panic("inequality")
+	}
+
+	// json loop
+	json, err := cid.MarshalJSON()
+	if err != nil {
+		panic(err.Error())
+	}
+	cid2 := &Cid{}
+	err = cid2.UnmarshalJSON(json)
+	if err != nil {
+		panic(err.Error())
+	}
+
+	if !cid.Equals(cid2) {
+		panic("json loop not equal")
+	}
+
+	return 1
+}

cid_test.go

@@ -2,7 +2,9 @@ package cid
 
 import (
 	"bytes"
+	"fmt"
 	"math/rand"
+	"strings"
 	"testing"
 
 	mh "github.com/multiformats/go-multihash"
@@ -117,6 +119,15 @@ func TestPrefixRoundtrip(t *testing.T) {
 	}
 }
 
+func Test16BytesVarint(t *testing.T) {
+	data := []byte("this is some test content")
+	hash, _ := mh.Sum(data, mh.SHA2_256, -1)
+	c := NewCidV1(CBOR, hash)
+
+	c.codec = 1 << 63
+	_ = c.Bytes()
+}
+
 func TestFuzzCid(t *testing.T) {
 	buf := make([]byte, 128)
 	for i := 0; i < 200; i++ {
@@ -125,3 +136,55 @@ func TestFuzzCid(t *testing.T) {
 		_, _ = Cast(buf[:s])
 	}
 }
+
+func TestParse(t *testing.T) {
+	cid, err := Parse(123)
+	if err == nil {
+		t.Fatalf("expected error from Parse()")
+	}
+	if !strings.Contains(err.Error(), "can't parse 123 as Cid") {
+		t.Fatalf("expected int error, got %s", err.Error())
+	}
+
+	theHash := "QmdfTbBqBPQ7VNxZEYEj14VmRuZBkqFbiwReogJgS1zR1n"
+	h, err := mh.FromB58String(theHash)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	assertions := [][]interface{}{
+		[]interface{}{NewCidV0(h), theHash},
+		[]interface{}{NewCidV0(h).Bytes(), theHash},
+		[]interface{}{h, theHash},
+		[]interface{}{theHash, theHash},
+		[]interface{}{"/ipfs/" + theHash, theHash},
+		[]interface{}{"https://ipfs.io/ipfs/" + theHash, theHash},
+		[]interface{}{"http://localhost:8080/ipfs/" + theHash, theHash},
+	}
+
+	assert := func(arg interface{}, expected string) error {
+		cid, err = Parse(arg)
+		if err != nil {
+			return err
+		}
+		if cid.version != 0 {
+			return fmt.Errorf("expected version 0, got %s", string(cid.version))
+		}
+		actual := cid.Hash().B58String()
+		if actual != expected {
+			return fmt.Errorf("expected hash %s, got %s", expected, actual)
+		}
+		actual = cid.String()
+		if actual != expected {
+			return fmt.Errorf("expected string %s, got %s", expected, actual)
+		}
+		return nil
+	}
+
+	for _, args := range assertions {
+		err := assert(args[0], args[1].(string))
+		if err != nil {
+			t.Fatal(err)
+		}
+	}
+}

fuzz-data/corpus/cid0

@@ -0,0 +1 @@
+ ëgáD1üüÊe<C38A>-D˜/¹q3ø~å(Ä7`8–<38>‡n

fuzz-data/corpus/cid1

@@ -0,0 +1 @@
+
q -[<5B>ï<EFBFBD>h<EFBFBD>[<5B><10><>

package.json

@@ -22,9 +22,9 @@
   ],
   "gxVersion": "0.8.0",
   "language": "go",
-  "license": "",
+  "license": "MIT",
   "name": "go-cid",
   "releaseCmd": "git commit -a -m \"gx publish $VERSION\"",
-  "version": "0.7.5"
+  "version": "0.7.6"
 }