math/big: index out of range in Float.Add #57946
Description
What version of Go are you using (go version)?
$ go version go version go1.19 linux/amd64
Does this issue reproduce with the latest release?
Yes
What operating system and processor architecture are you using (go env)?
go env Output
$ go env GO111MODULE="" GOARCH="amd64" GOBIN="" GOCACHE="/root/.cache/go-build" GOENV="/root/.config/go/env" GOEXE="" GOEXPERIMENT="" GOFLAGS="" GOHOSTARCH="amd64" GOHOSTOS="linux" GOINSECURE="" GOMODCACHE="/root/go/pkg/mod" GONOPROXY="" GONOSUMDB="" GOOS="linux" GOPATH="/root/go" GOPRIVATE="" GOPROXY="https://proxy.golang.org,direct" GOROOT="/root/.go" GOSUMDB="sum.golang.org" GOTMPDIR="" GOTOOLDIR="/root/.go/pkg/tool/linux_amd64" GOVCS="" GOVERSION="go1.19" GCCGO="gccgo" GOAMD64="v1" AR="ar" CC="clang" CXX="clang++" CGO_ENABLED="1" GOMOD="/src/ngolo-fuzzing/go.mod" GOWORK="" CGO_CFLAGS="-g -O2" CGO_CPPFLAGS="" CGO_CXXFLAGS="-g -O2" CGO_FFLAGS="-g -O2" CGO_LDFLAGS="-g -O2" PKG_CONFIG="pkg-config" GOGCCFLAGS="-fPIC -m64 -pthread -fno-caret-diagnostics -Qunused-arguments -Wl,--no-gc-sections -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build2481516251=/tmp/go-build -gno-record-gcc-switches"
What did you do?
Run https://go.dev/play/p/JjDgRJRZXpk
What did you expect to see?
The program finishing and printing Hello
What did you see instead?
panic: runtime error: index out of range [-1]
goroutine 1 [running]:
math/big.fnorm({0xc000092000?, 0x0?, 0x10?})
/usr/local/go-faketime/src/math/big/float.go:580 +0x9d
math/big.(*Float).uadd(0xc00008e030, 0xa?, 0x3500fffff9?)
/usr/local/go-faketime/src/math/big/float.go:1253 +0x468
math/big.(*Float).Add(0xc00008e030, 0xc000074f34?, 0xc00006e000?)
/usr/local/go-faketime/src/math/big/float.go:1466 +0x5a
main.main()
/tmp/sandbox2865641649/prog.go:13 +0x8b
Program exited.
Found by https://github.com/catenacyber/ngolo-fuzzing with oss-fuzz :
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=54807
Another variant is https://go.dev/play/p/ELqX97rhBPF
Thanks for the report. I've looked at the issue and I think it can be disclosed publicly. The issue appears to be in the Gob decoder, which incorrectly accepts a malformed float which otherwise appears impossible to generate via Float-only operations.