encoding/binary: ReadUvarint and ReadVarint can read an unlimited number of bytes from invalid inputs #40618
Certain invalid inputs to
With the update,
Thanks to Diederik Loerakker, Jonny Rhea, Raúl Kripalani, and Preston Van Loon for reporting this issue.
This issue is CVE-2020-16845.
The text was updated successfully, but these errors were encountered:
This CL ensures that ReadUvarint consumes only a limited amount of input (instead of an unbounded amount). On some inputs, ReadUvarint could read an arbitrary number of bytes before deciding to return an overflow error. After this CL, ReadUvarint returns that same overflow error sooner, after reading at most MaxVarintLen64 bytes. Fix authored by Robert Griesemer and Filippo Valsorda. Thanks to Diederik Loerakker, Jonny Rhea, Raúl Kripalani, and Preston Van Loon for reporting this. Fixes #40618 Fixes CVE-2020-16845 Change-Id: Ie0cb15972f14c38b7cf7af84c45c4ce54909bb8f Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/812099 Reviewed-by: Filippo Valsorda <email@example.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/247120 Run-TryBot: Katie Hockman <firstname.lastname@example.org> TryBot-Result: Gobot Gobot <email@example.com> Reviewed-by: Alexander Rakoczy <firstname.lastname@example.org>