From 9f6590f333ee3ecd318e95ef54073fe76d1225de Mon Sep 17 00:00:00 2001
From: Roland Shoemaker <roland@golang.org>
Date: Mon, 27 Oct 2025 08:15:48 -0700
Subject: [PATCH] encoding/pem: don't reslice in failure modes

We re-slice the data being processed at the stat of each loop. If the
var that we use to calculate where to re-slice is < 0 or > the length
of the remaining data, return instead of attempting to re-slice.

Change-Id: I1d6c2b6c596feedeea8feeaace370ea73ba02c4c
Reviewed-on: https://go-review.googlesource.com/c/go/+/715260
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Auto-Submit: Roland Shoemaker <roland@golang.org>
Reviewed-by: Damien Neil <dneil@google.com>
---
 src/encoding/pem/pem.go | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/encoding/pem/pem.go b/src/encoding/pem/pem.go
index 1da60d3227..6bf2b41ad0 100644
--- a/src/encoding/pem/pem.go
+++ b/src/encoding/pem/pem.go
@@ -95,6 +95,9 @@ func Decode(data []byte) (p *Block, rest []byte) {
 	for {
 		// If we've already tried parsing a block, skip past the END we already
 		// saw.
+		if endTrailerIndex < 0 || endTrailerIndex > len(rest) {
+			return nil, data
+		}
 		rest = rest[endTrailerIndex:]
 
 		// Find the first END line, and then find the last BEGIN line before
-- 
2.52.0