qbit/go
1
0
Fork 0
mirror of https://github.com/golang/go synced 2024-11-17 13:54:46 -07:00
Code Releases Activity

mime/multipart: return overflow errors in Reader.ReadForm

Browse Source 
Updates Reader.ReadForm to check for overflow errors that may
result from a leeway addition of 10MiB to the input argument
maxMemory.

Fixes #40430

Change-Id: I510b8966c95c51d04695ba9d08fcfe005fd11a5d
Reviewed-on: https://go-review.googlesource.com/c/go/+/247477
Run-TryBot: Emmanuel Odeke <emm.odeke@gmail.com>
Trust: Cuong Manh Le <cuong.manhle.vn@gmail.com>
Trust: Emmanuel Odeke <emm.odeke@gmail.com>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Emmanuel Odeke <emm.odeke@gmail.com>
This commit is contained in:
avivklas 2020-08-07 21:50:12 +03:00 committed by Emmanuel Odeke
parent 05b626e490
commit 874b3132a8
2 changed files with 22 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
src/mime/multipart/formdata.go
View File

@ -7,6 +7,7 @@ package multipart
import ( import (
"bytes" "bytes"
"errors" "errors"
"fmt"
"io" "io"
"io/ioutil" "io/ioutil"
"net/textproto" "net/textproto"
@ -41,6 +42,9 @@ func (r *Reader) readForm(maxMemory int64) (_ *Form, err error) {
// Reserve an additional 10 MB for non-file parts. // Reserve an additional 10 MB for non-file parts.
maxValueBytes := maxMemory + int64(10<<20) maxValueBytes := maxMemory + int64(10<<20)
if maxValueBytes <= 0 {
return nil, fmt.Errorf("multipart: integer overflow from maxMemory(%d) + 10MiB for non-file parts", maxMemory)
}
for { for {
p, err := r.NextPart() p, err := r.NextPart()
if err == io.EOF { if err == io.EOF {

18
src/mime/multipart/formdata_test.go
View File

@ -7,6 +7,7 @@ package multipart
import ( import (
"bytes" "bytes"
"io" "io"
"math"
"os" "os"
"strings" "strings"
"testing" "testing"
@ -52,6 +53,23 @@ func TestReadFormWithNamelessFile(t *testing.T) {
} }
} }
// Issue 40430: Ensure that we report integer overflows in additions of maxMemory,
// instead of silently and subtly failing without indication.
func TestReadFormMaxMemoryOverflow(t *testing.T) {
b := strings.NewReader(strings.ReplaceAll(messageWithTextContentType, "\n", "\r\n"))
r := NewReader(b, boundary)
f, err := r.ReadForm(math.MaxInt64)
if err == nil {
t.Fatal("Unexpected a non-nil error")
}
if f != nil {
t.Fatalf("Unexpected returned a non-nil form: %v\n", f)
}
if g, w := err.Error(), "integer overflow from maxMemory"; !strings.Contains(g, w) {
t.Errorf(`Error mismatch\n%q\ndid not contain\n%q`, g, w)
}
}
func TestReadFormWithTextContentType(t *testing.T) { func TestReadFormWithTextContentType(t *testing.T) {
// From https://github.com/golang/go/issues/24041 // From https://github.com/golang/go/issues/24041
b := strings.NewReader(strings.ReplaceAll(messageWithTextContentType, "\n", "\r\n")) b := strings.NewReader(strings.ReplaceAll(messageWithTextContentType, "\n", "\r\n"))