Cypherpunks repositories - gostls13.git/commit

author	Katie Hockman <katie@golang.org>
	Mon, 1 Mar 2021 14:54:00 +0000 (09:54 -0500)
committer	Katie Hockman <katiehockman@google.com>
	Tue, 9 Mar 2021 17:43:02 +0000 (17:43 +0000)
commit	91062c2e4cbbf78a108919f6ed3ded1173937cf3
tree	6f04b2f35c33c61d0c73f6143dda8168aa7a7279	tree
parent	fa6752a5370735b8c2404d6de5191f2eea67130f	commit \| diff

[release-branch.go1.15-security] encoding/xml: prevent infinite loop while decoding

This change properly handles a TokenReader which
returns an EOF in the middle of an open XML
element.

Thanks to Sam Whited for reporting this.

Fixes CVE-2021-27918

Change-Id: Id02a3f3def4a1b415fa2d9a8e3b373eb6cb0f433
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1004594
Reviewed-by: Russ Cox <rsc@google.com>
Reviewed-by: Roland Shoemaker <bracewell@google.com>
Reviewed-by: Filippo Valsorda <valsorda@google.com>
(cherry picked from commit e7ce1f6746223ec7b4caa3b1ece25d9be3864710)
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1014236

src/encoding/xml/xml.go		diff \| blob \| history
src/encoding/xml/xml_test.go		diff \| blob \| history