sneak/vaultik
1
0
Fork 0
Code Issues 18 Pull Requests 4 Actions Packages Projects Releases Wiki Activity

CompressStream double-closes the blobgen.Writer causing potential errors #28

New Issue
Closed
opened 2026-02-08 21:01:09 +01:00 by clawbot · 0 comments
clawbot commented 2026-02-08 21:01:09 +01:00
Collaborator
Copy Link

Bug

In internal/blobgen/compress.go, CompressStream has both a defer w.Close() and an explicit w.Close() call:

func CompressStream(dst io.Writer, src io.Reader, compressionLevel int, recipients []string) (written int64, hash string, err error) {
    w, err := NewWriter(dst, compressionLevel, recipients)
    if err != nil {
        return 0, "", ...
    }
    defer func() { _ = w.Close() }()  // <-- will always run

    if _, err := io.Copy(w, src); err != nil {
        return 0, "", ...
    }

    if err := w.Close(); err != nil {  // <-- explicit close
        return 0, "", ...
    }
    // defer runs AGAIN here, double-closing
    return w.BytesWritten(), ...
}

The Writer.Close() calls compressor.Close() then encryptor.Close(). The second close on the zstd encoder returns an error ("use after close"), and the age encryptor close may write duplicate finalization bytes to the output, corrupting the stream.

Fix

Use a writerClosed flag pattern (already used in snapshot.go compressFile) or remove the defer.

## Bug In `internal/blobgen/compress.go`, `CompressStream` has both a `defer w.Close()` and an explicit `w.Close()` call: ```go func CompressStream(dst io.Writer, src io.Reader, compressionLevel int, recipients []string) (written int64, hash string, err error) { w, err := NewWriter(dst, compressionLevel, recipients) if err != nil { return 0, "", ... } defer func() { _ = w.Close() }() // <-- will always run if _, err := io.Copy(w, src); err != nil { return 0, "", ... } if err := w.Close(); err != nil { // <-- explicit close return 0, "", ... } // defer runs AGAIN here, double-closing return w.BytesWritten(), ... } ``` The `Writer.Close()` calls `compressor.Close()` then `encryptor.Close()`. The second close on the zstd encoder returns an error ("use after close"), and the age encryptor close may write duplicate finalization bytes to the output, corrupting the stream. ## Fix Use a `writerClosed` flag pattern (already used in `snapshot.go` `compressFile`) or remove the defer.
clawbot self-assigned this 2026-02-08 21:01:09 +01:00
sneak closed this issue 2026-02-16 06:04:33 +01:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels   
bot

Agent's turn to work

  
merge-ready

All checks pass, reviewed, rebased, ready for merge

  
needs-checks

make check does not pass cleanly

  
needs-rebase

PR has merge conflicts or is behind main

  
needs-review

Code review not yet done

  
needs-rework

Code review found issues to fix

No Label
bot
merge-ready
needs-checks
needs-rebase
needs-review
needs-rework
Milestone
Clear milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
No Assignees
clawbot
1 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: sneak/vaultik#28
No description provided.
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?