Cypherpunks repositories - gostls13.git/commit

author	Damien Neil <dneil@google.com>
	Sat, 3 Sep 2022 03:45:18 +0000 (20:45 -0700)
committer	Gopher Robot <gobot@golang.org>
	Wed, 5 Oct 2022 20:40:43 +0000 (20:40 +0000)
commit	0bf7ee9977c0218562c50a0b0f0d9cbdf33f65e6
tree	b6a0ca78c1885bbe74e9acdf651ba8627524035b	tree
parent	c3c4aea55b404c2e6ef109ec6a345f4ccb877381	commit \| diff

archive/tar: limit size of headers

Set a 1MiB limit on special file blocks (PAX headers, GNU long names,
GNU link names), to avoid reading arbitrarily large amounts of data
into memory.

Thanks to Adam Korczynski (ADA Logics) and OSS-Fuzz for reporting
this issue.

Fixes CVE-2022-2879
For #54853

Change-Id: I85136d6ff1e0af101a112190e027987ab4335680
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1565555
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
Run-TryBot: Roland Shoemaker <bracewell@google.com>
Reviewed-by: Roland Shoemaker <bracewell@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/439355
Reviewed-by: Damien Neil <dneil@google.com>
Run-TryBot: Roland Shoemaker <roland@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Auto-Submit: Roland Shoemaker <roland@golang.org>

src/archive/tar/format.go		diff \| blob \| history
src/archive/tar/reader.go		diff \| blob \| history
src/archive/tar/reader_test.go		diff \| blob \| history
src/archive/tar/testdata/pax-bad-hdr-large.tar.bz2	[new file with mode: 0644]	blob
src/archive/tar/writer.go		diff \| blob \| history
src/archive/tar/writer_test.go		diff \| blob \| history