archive/zip: malformed archive may cause panic or memory exhaustion

[rolandshoemaker]

Due to a pre-allocation optimization in zip.NewReader, a malformed archive which indicates it has a significant number of files can cause either a panic or memory exhaustion.

This was originally discoverd by OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=33912.

This is CVE-2021-33196.

[gopherbot]

Change https://golang.org/cl/318909 mentions this issue: archive/zip: only preallocate File slice if reasonably sized

[dmitshur]

Applying release-blocker and okay-after-beta1 labels based on my best understanding from conversation in #46241, please update if needed.

[rolandshoemaker]

@gopherbot please consider this for backport to 1.15 and 1.16 as this is a security issue.

[gopherbot]

Backport issue(s) opened: #46396 (for 1.15), #46397 (for 1.16).

Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://golang.org/wiki/MinorReleases.

[gopherbot]

Change https://golang.org/cl/322909 mentions this issue: [release-branch.go1.16] archive/zip: only preallocate File slice if reasonably sized

[gopherbot]

Change https://golang.org/cl/322949 mentions this issue: [release-branch.go1.15] archive/zip: only preallocate File slice if reasonably sized