encoding/gob: error rather than panic when decoding enormous slices

Fixes #8084.

LGTM=ruiu
R=golang-codereviews, ruiu
CC=golang-codereviews
https://golang.org/cl/142710043

1 files changed, 11 insertions, 1 deletions

diff --git a/src/encoding/gob/decode.go b/src/encoding/gob/decode.go
index 2367650c8b..502209a8a8 100644
--- a/src/encoding/gob/decode.go
+++ b/src/encoding/gob/decode.go
@@ -312,6 +312,9 @@ func decUint8Slice(i *decInstr, state *decoderState, value reflect.Value) {
 	if n > state.b.Len() {
 		errorf("%s data too long for buffer: %d", value.Type(), n)
 	}
+	if n > tooBig {
+		errorf("byte slice too big: %d", n)
+	}
 	if value.Cap() < n {
 		value.Set(reflect.MakeSlice(value.Type(), n, n))
 	} else {
@@ -539,8 +542,15 @@ func (dec *Decoder) decodeSlice(state *decoderState, value reflect.Value, elemOp
 		// of interfaces, there will be buffer reloads.
 		errorf("length of %s is negative (%d bytes)", value.Type(), u)
 	}
+	typ := value.Type()
+	size := uint64(typ.Elem().Size())
+	// Take care with overflow in this calculation.
+	nBytes := u * size
+	if nBytes > tooBig || (size > 0 && nBytes/size != u) {
+		errorf("%s slice too big: %d elements of %d bytes", typ.Elem(), n, size)
+	}
 	if value.Cap() < n {
-		value.Set(reflect.MakeSlice(value.Type(), n, n))
+		value.Set(reflect.MakeSlice(typ, n, n))
 	} else {
 		value.Set(value.Slice(0, n))
 	}