archive/zip: overflow in preallocation check can cause OOM panic

[rolandshoemaker]

An oversight in the fix for #46242 still allows for an OOM panic when the indicated directory size in the archive header is so large that subtracting it from the archive size overflows a uint64, effectively bypassing the check that the number of files in the archive is reasonable.

This is CVE-2021-39293.

[gopherbot]

Change https://golang.org/cl/343434 mentions this issue: archive/zip: prevent preallocation check from overflowing

[odeke-em]

Thank you for filing this issue, and for fixing it @rolandshoemaker!

Could we perhaps backport the fix? There isn't a way for Go users using 1.16 and 1.17 to mitigate this issue, and I can see a huge surface number of affected users who can't upgrade to tip aka Go1.18 currently.

[rolandshoemaker]

Oops, yup, thought I'd already done this.

[rolandshoemaker]

@gopherbot please backport to 1.16 and 1.17.

This is a security issue.

[gopherbot]

Backport issue(s) opened: #47985 (for 1.16), #47986 (for 1.17).

Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://golang.org/wiki/MinorReleases.

[gopherbot]

Change https://golang.org/cl/345409 mentions this issue: [release-branch.go1.16] archive/zip: prevent preallocation check from overflowing

[gopherbot]

Change https://golang.org/cl/345410 mentions this issue: [release-branch.go1.17] archive/zip: prevent preallocation check from overflowing