Add check for signatures which are too long

ssbc · Dec 31, 2022 · 532060c · 532060c
1 parent 04c3a58
commit 532060c
Showing 1 changed file with 4 additions and 1 deletion.
diff --git a/message/legacy/signature.go b/message/legacy/signature.go
@@ -13,9 +13,9 @@ import (
 	"fmt"
 	"io"
 	"regexp"
+	"crypto/ed25519"
 
 	refs "github.com/ssbc/go-ssb-refs"
-	"golang.org/x/crypto/ed25519"
 )
 
 var signatureRegexp = regexp.MustCompile(",\n  \"signature\": \"([A-Za-z0-9/+=.]+)\"")
@@ -52,6 +52,9 @@ func NewSignatureFromBase64(input []byte) (Signature, error) {
 	if gotLen < ed25519.SignatureSize {
 		return nil, fmt.Errorf("ssb/signature: expected more signature data but only got %d", gotLen)
 	}
+	if gotLen > ed25519.SignatureSize {
+		return nil, fmt.Errorf("ssb/signature: expected less signature data but got %d", gotLen)
+	}
 
 	// allocate space for the signature and copy data into it
 	decoded := make([]byte, ed25519.SignatureSize)