math/big: error on buffer length overflow in Rat.GobDecode

Fixes #56156 Change-Id: Ib85ff45f0b0d0eac83c39606ee20b3a312e6e919 Reviewed-on: https://go-review.googlesource.com/c/go/+/442335 Run-TryBot: Ian Lance Taylor <iant@google.com> Auto-Submit: Ian Lance Taylor <iant@google.com> Reviewed-by: Matthew Dempsky <mdempsky@google.com> Reviewed-by: Ian Lance Taylor <iant@google.com> Run-TryBot: Ian Lance Taylor <iant@golang.org> TryBot-Result: Gopher Robot <gobot@golang.org>
2024-11-17 15:54:39 -07:00 · 2022-10-11 11:21:13 -07:00 · 2022-10-11 11:21:13 -07:00 · b6e7e16208
commit b6e7e16208
parent 01604129ae
2 changed files with 8 additions and 2 deletions
--- a/src/math/big/ratmarsh.go
+++ b/src/math/big/ratmarsh.go
@ -10,6 +10,7 @@ import (
 	"encoding/binary"
 	"errors"
 	"fmt"
+	"math"
 )

 // Gob codec version. Permits backward-compatible changes to the encoding.
@ -53,8 +54,12 @@ func (z *Rat) GobDecode(buf []byte) error {
 		return fmt.Errorf("Rat.GobDecode: encoding version %d not supported", b>>1)
 	}
 	const j = 1 + 4
-	i := j + binary.BigEndian.Uint32(buf[j-4:j])
-	if len(buf) < int(i) {
+	ln := binary.BigEndian.Uint32(buf[j-4 : j])
+	if uint64(ln) > math.MaxInt-j {
+		return errors.New("Rat.GobDecode: invalid length")
+	}
+	i := j + int(ln)
+	if len(buf) < i {
 		return errors.New("Rat.GobDecode: buffer too small")
 	}
 	z.a.neg = b&1 != 0
--- a/src/math/big/ratmarsh_test.go
+++ b/src/math/big/ratmarsh_test.go
@ -128,6 +128,7 @@ func TestRatGobDecodeShortBuffer(t *testing.T) {
 	for _, tc := range [][]byte{
 		[]byte{0x2},
 		[]byte{0x2, 0x0, 0x0, 0x0, 0xff},
+		[]byte{0x2, 0xff, 0xff, 0xff, 0xff},
 	} {
 		err := NewRat(1, 2).GobDecode(tc)
 		if err == nil {