mirror of
https://github.com/golang/go
synced 2024-11-25 20:37:56 -07:00
08c84420bc
This change makes sure that we are properly checking the ignored field recursion depth in decIgnoreOpFor consistently. This prevents stack exhaustion when attempting to decode a message that contains an extremely deeply nested struct which is ignored. Thanks to Md Sakib Anwar of The Ohio State University (anwar.40@osu.edu) for reporting this issue. Fixes #69139 Fixes CVE-2024-34156 Change-Id: Iacce06be95a5892b3064f1c40fcba2e2567862d6 Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1440 Reviewed-by: Russ Cox <rsc@google.com> Reviewed-by: Damien Neil <dneil@google.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/611239 LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> Reviewed-by: Roland Shoemaker <roland@golang.org> Auto-Submit: Dmitri Shuralyov <dmitshur@golang.org> |
||
|---|---|---|
| .. | ||
| ascii85 | ||
| asn1 | ||
| base32 | ||
| base64 | ||
| binary | ||
| csv | ||
| gob | ||
| hex | ||
| json | ||
| pem | ||
| xml | ||
| encoding.go | ||