Cypherpunks repositories - gostls13.git/commit

author	Damien Neil <dneil@google.com>
	Sat, 3 Sep 2022 03:45:18 +0000 (20:45 -0700)
committer	Carlos Amedee <carlos@golang.org>
	Tue, 4 Oct 2022 17:08:25 +0000 (17:08 +0000)
commit	0a723816cd205576945fa57fbdde7e6532d59d08
tree	1fb84d32f6b5a5c899912d31b582144371e895db	tree
parent	9d2c73a9fd69e45876509bb3bdb2af99bf77da1e	commit \| diff

[release-branch.go1.18] archive/tar: limit size of headers

Set a 1MiB limit on special file blocks (PAX headers, GNU long names,
GNU link names), to avoid reading arbitrarily large amounts of data
into memory.

Thanks to Adam Korczynski (ADA Logics) and OSS-Fuzz for reporting
this issue.

Fixes CVE-2022-2879
Updates #54853
Fixes #55925

Change-Id: I85136d6ff1e0af101a112190e027987ab4335680
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1565555
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
Run-TryBot: Roland Shoemaker <bracewell@google.com>
Reviewed-by: Roland Shoemaker <bracewell@google.com>
(cherry picked from commit 6ee768cef6b82adf7a90dcf367a1699ef694f3b2)
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1590622
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-by: Julie Qiu <julieqiu@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/438500
Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
Reviewed-by: Carlos Amedee <carlos@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Run-TryBot: Carlos Amedee <carlos@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>

src/archive/tar/format.go		diff \| blob \| history
src/archive/tar/reader.go		diff \| blob \| history
src/archive/tar/reader_test.go		diff \| blob \| history
src/archive/tar/testdata/pax-bad-hdr-large.tar.bz2	[new file with mode: 0644]	blob
src/archive/tar/writer.go		diff \| blob \| history
src/archive/tar/writer_test.go		diff \| blob \| history