math/big: panic slice bounds out of range in Rat.GobDecode

[AdamKorcz]

Found by OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=52322

What version of Go are you using (go version)?

1.19.1 and 1.19.2

Does this issue reproduce with the latest release?

Yes

What operating system and processor architecture are you using (go env)?

GO111MODULE=""
GOARCH="amd64"
GOBIN=""
GOCACHE="/home/adam/.cache/go-build"
GOENV="/home/adam/.config/go/env"
GOEXE=""
GOEXPERIMENT=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOINSECURE=""
GOMODCACHE="/home/adam/go/pkg/mod"
GONOPROXY=""
GONOSUMDB=""
GOOS="linux"
GOPATH="/home/adam/go"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/usr/local/go"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/local/go/pkg/tool/linux_amd64"
GOVCS=""
GOVERSION="go1.19.1"
GCCGO="gccgo"
GOAMD64="v1"
AR="ar"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD="/tmp/forked-istio/go.mod"
GOWORK=""
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build3333636918=/tmp/go-build -gno-record-gcc-switches"

What did you do?

This program:

package main

import (
        "math/big"
)

func main() {
        i1 := 255
        i2 := 255
        r := big.NewRat(int64(i1), int64(i2))
        buf := []byte{2, 255, 255, 255, 255}
        r.GobDecode(buf)
}

... panics with this stacktrace:

panic: runtime error: slice bounds out of range [5:4]

goroutine 1 [running]:
math/big.(*Rat).GobDecode(0xc00009af30?, {0xc00009af2b?, 0xff?, 0x0?})
        /tmp/go/src/math/big/ratmarsh.go:61 +0x250
main.main()
        /tmp/go-poc/main.go:12 +0x6a
exit status 2

What did you expect to see?

No Panic

What did you see instead?

See stacktrace above.

[mdempsky]

Seems like the issue is with:

go/src/math/big/ratmarsh.go

Lines 56 to 59 in f1e50a1

	i := j + binary.BigEndian.Uint32(buf[j-4:j])
	if len(buf) < int(i) {
	return errors.New("Rat.GobDecode: buffer too small")
	}

/cc @rolandshoemaker

[gopherbot]

Change https://go.dev/cl/442335 mentions this issue: math/big: error on buffer length overflow in Rat.GobDecode

[catenacyber]

And https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=52299 also ;-)

[AdamKorcz]

This has not been fixed.

package main

import (
        "math/big"
)

func main() {

        buf := []byte{2, 255, 255, 255, 255}
        i1 := 32
        i2 := 255
        r := big.NewRat(int64(i1), int64(i2))
        r.GobDecode(buf)
}

Will produce the following stack trace:

panic: runtime error: slice bounds out of range [5:4]

goroutine 1 [running]:
math/big.(*Rat).GobDecode(0xc00009af30?, {0xc00009af2b?, 0xff?, 0x0?})
        /tmp/go/src/math/big/ratmarsh.go:61 +0x250
main.main()
        /tmp/go-poc/main.go:13 +0x6d

It has been tested with the latest release.

@neild @rolandshoemaker could we get this reopened?

[mdempsky]

It has been fixed at tip and will be included in the 1.20 release: https://go.dev/play/p/qsXUXNl_ZK_y?v=gotip

It hasn't been backported to 1.19 nor proposed for that.

[AdamKorcz]

Alright, thanks!