From b6e7e16208be683dbf8039acc7d7dfd97888aba1 Mon Sep 17 00:00:00 2001 From: Ian Lance Taylor Date: Tue, 11 Oct 2022 11:21:13 -0700 Subject: [PATCH] math/big: error on buffer length overflow in Rat.GobDecode Fixes #56156 Change-Id: Ib85ff45f0b0d0eac83c39606ee20b3a312e6e919 Reviewed-on: https://go-review.googlesource.com/c/go/+/442335 Run-TryBot: Ian Lance Taylor Auto-Submit: Ian Lance Taylor Reviewed-by: Matthew Dempsky Reviewed-by: Ian Lance Taylor Run-TryBot: Ian Lance Taylor TryBot-Result: Gopher Robot --- src/math/big/ratmarsh.go | 9 +++++++-- src/math/big/ratmarsh_test.go | 1 + 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/src/math/big/ratmarsh.go b/src/math/big/ratmarsh.go index 56102e845b..b69c59dfb6 100644 --- a/src/math/big/ratmarsh.go +++ b/src/math/big/ratmarsh.go @@ -10,6 +10,7 @@ import ( "encoding/binary" "errors" "fmt" + "math" ) // Gob codec version. Permits backward-compatible changes to the encoding. @@ -53,8 +54,12 @@ func (z *Rat) GobDecode(buf []byte) error { return fmt.Errorf("Rat.GobDecode: encoding version %d not supported", b>>1) } const j = 1 + 4 - i := j + binary.BigEndian.Uint32(buf[j-4:j]) - if len(buf) < int(i) { + ln := binary.BigEndian.Uint32(buf[j-4 : j]) + if uint64(ln) > math.MaxInt-j { + return errors.New("Rat.GobDecode: invalid length") + } + i := j + int(ln) + if len(buf) < i { return errors.New("Rat.GobDecode: buffer too small") } z.a.neg = b&1 != 0 diff --git a/src/math/big/ratmarsh_test.go b/src/math/big/ratmarsh_test.go index 55a9878bb8..15c933efa6 100644 --- a/src/math/big/ratmarsh_test.go +++ b/src/math/big/ratmarsh_test.go @@ -128,6 +128,7 @@ func TestRatGobDecodeShortBuffer(t *testing.T) { for _, tc := range [][]byte{ []byte{0x2}, []byte{0x2, 0x0, 0x0, 0x0, 0xff}, + []byte{0x2, 0xff, 0xff, 0xff, 0xff}, } { err := NewRat(1, 2).GobDecode(tc) if err == nil { -- 2.50.0