x/crypto/openpgp: Infinite loop handling truncated clearsigned messages

[bwester]

When attempting to decode an OpenPGP clearsigned message that has been truncated, the parser at golang.org/x/crypto/openpgp/clearsign enters into an infinite loop. This is clearly wrong. I would have expected that the decoder behave the same way as if it were given any other bad input: it fails to decode a PGP packet and returns all the data.

There is a fix for this bug at https://go-review.googlesource.com/#/c/17693/, it just needs reviewing.

Minimal program that triggers the bug:

package main

import (
        "fmt"
        "golang.org/x/crypto/openpgp/clearsign"
)

func main() {
        message := "-----BEGIN PGP SIGNED MESSAGE-----\n\nHello"
        fmt.Println(clearsign.Decode([]byte(message)))
}

Expected output:

<nil> [45 45 45 ...]

Actual output:

(doesn't terminate)

My go version:

go version go1.5.3 darwin/amd64

[ianlancetaylor]

CC @agl

[agl]

Thank you for reporting this—I indeed screwed that up. I've landed your suggested fix.