Cypherpunks repositories - gostls13.git/commit

author	Damien Neil <dneil@google.com>
	Sat, 3 Sep 2022 03:45:18 +0000 (20:45 -0700)
committer	Carlos Amedee <carlos@golang.org>
	Tue, 4 Oct 2022 17:07:45 +0000 (17:07 +0000)
commit	4fa773cdefd20be093c84f731be7d4febf5536fa
tree	a1c0f4cd5845220dd366c39a745cc968e094d35e	tree
parent	f6d844510d5f1e3b3098eba255d9b633d45eac3b	commit \| diff

[release-branch.go1.19] archive/tar: limit size of headers

Set a 1MiB limit on special file blocks (PAX headers, GNU long names,
GNU link names), to avoid reading arbitrarily large amounts of data
into memory.

Thanks to Adam Korczynski (ADA Logics) and OSS-Fuzz for reporting
this issue.

Fixes CVE-2022-2879
Updates #54853
Fixes #55926

Change-Id: I85136d6ff1e0af101a112190e027987ab4335680
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1565555
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
Run-TryBot: Roland Shoemaker <bracewell@google.com>
Reviewed-by: Roland Shoemaker <bracewell@google.com>
(cherry picked from commit 6ee768cef6b82adf7a90dcf367a1699ef694f3b2)
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1591053
Reviewed-by: Julie Qiu <julieqiu@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/438498
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Reviewed-by: Carlos Amedee <carlos@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
Run-TryBot: Carlos Amedee <carlos@golang.org>

src/archive/tar/format.go		diff \| blob \| history
src/archive/tar/reader.go		diff \| blob \| history
src/archive/tar/reader_test.go		diff \| blob \| history
src/archive/tar/testdata/pax-bad-hdr-large.tar.bz2	[new file with mode: 0644]	blob
src/archive/tar/writer.go		diff \| blob \| history
src/archive/tar/writer_test.go		diff \| blob \| history