encoding/gob: change panic into error for corrupt input

decBuffer.Drop is called using data provided by the user, don't
panic if it's bogus.

Fixes #10272.

Change-Id: I913ae9c3c45cef509f2b8eb02d1efa87fbd52afa
Reviewed-on: https://go-review.googlesource.com/8496
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>

diff --git a/src/encoding/gob/decode.go b/src/encoding/gob/decode.go
index a5bef93141b7adf29796a2276f1c83a45e40ece0..e227b221aa676e7458df5c1358a0bf0e9e08c790 100644 (file)
--- a/src/encoding/gob/decode.go
+++ b/src/encoding/gob/decode.go
@@ -688,7 +688,11 @@ func (dec *Decoder) ignoreInterface(state *decoderState) {
                error_(dec.err)
        }
        // At this point, the decoder buffer contains a delimited value. Just toss it.
-       state.b.Drop(int(state.decodeUint()))
+       n := int(state.decodeUint())
+       if n < 0 || state.b.Len() < n {
+               errorf("bad interface encoding: length too large for buffer")
+       }
+       state.b.Drop(n)
 }
 
 // decodeGobDecoder decodes something implementing the GobDecoder interface.

diff --git a/src/encoding/gob/encoder_test.go b/src/encoding/gob/encoder_test.go
index 4af7195209f48aa21c798f3ae6317f78ddf9cc0d..7607b17deee4b6b8a8fe7d6b76bfdbe7bf04b623 100644 (file)
--- a/src/encoding/gob/encoder_test.go
+++ b/src/encoding/gob/encoder_test.go
@@ -954,3 +954,17 @@ func TestErrorForHugeSlice(t *testing.T) {
                t.Fatalf("decode: expected slice too big error, got %s", err.Error())
        }
 }
+
+// Don't crash, just give error with corrupted length.
+// Issue 10270.
+func TestErrorBadDrop(t *testing.T) {
+       data := []byte{0x05, 0x10, 0x00, 0x28, 0x55, 0x7b, 0x02, 0x02, 0x7f, 0x83, 0x02}
+       d := NewDecoder(bytes.NewReader(data))
+       err := d.Decode(nil)
+       if err == nil {
+               t.Fatal("decode: no error")
+       }
+       if !strings.Contains(err.Error(), "interface encoding") {
+               t.Fatalf("decode: expected interface encoding error, got %s", err.Error())
+       }
+}