fix: part file bounds checks in posix

2026-01-07 12:15:18 +00:00 · 2024-06-04 15:20:05 -07:00
parent 714dd6eb86
commit fe4c9dff76
1 changed files with 11 additions and 1 deletions
--- a/backend/posix/posix.go
+++ b/backend/posix/posix.go
@@ -24,6 +24,7 @@ import (
 	"fmt"
 	"io"
 	"io/fs"
+	"math"
 	"os"
 	"path/filepath"
 	"sort"
@@ -992,7 +993,11 @@ func (p *Posix) ListParts(_ context.Context, input *s3.ListPartsInput) (s3respon

 	var parts []s3response.Part
 	for _, e := range ents {
-		pn, _ := strconv.Atoi(e.Name())
+		pn, err := strconv.Atoi(e.Name())
+		if err != nil {
+			// file is not a valid part file
+			continue
+		}
 		if pn <= partNumberMarker {
 			continue
 		}
@@ -1816,6 +1821,11 @@ func (p *Posix) GetObjectAttributes(ctx context.Context, input *s3.GetObjectAttr
 	parts := []types.ObjectPart{}

 	for _, p := range resp.Parts {
+		if !(p.PartNumber > 0 && p.PartNumber <= math.MaxInt32) {
+			return s3response.GetObjectAttributesResult{},
+				s3err.GetAPIError(s3err.ErrInvalidPartNumber)
+		}
+
 		partNumber := int32(p.PartNumber)
 		size := p.Size