diff options
author | Roland Shoemaker <roland@golang.org> | 2022-07-15 10:43:44 -0700 |
---|---|---|
committer | Cherry Mui <cherryyz@google.com> | 2022-07-29 14:06:18 +0000 |
commit | 703c8ab7e5ba75c95553d4e249309297abad7102 (patch) | |
tree | b01fba8f8fed093e7ebe56f6836c13b4a2f1b651 /src/math/big/floatmarsh.go | |
parent | d9242f7a8c29aa17201cd66d29cdd20916c2de60 (diff) | |
download | go-703c8ab7e5ba75c95553d4e249309297abad7102.tar.gz go-703c8ab7e5ba75c95553d4e249309297abad7102.zip |
[release-branch.go1.17] math/big: check buffer lengths in GobDecode
In Float.GobDecode and Rat.GobDecode, check buffer sizes before
indexing slices.
Updates #53871
Fixes #54094
Change-Id: I1b652c32c2bc7a0e8aa7620f7be9b2740c568b0a
Reviewed-on: https://go-review.googlesource.com/c/go/+/417774
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Tatiana Bradley <tatiana@golang.org>
Run-TryBot: Roland Shoemaker <roland@golang.org>
(cherry picked from commit 055113ef364337607e3e72ed7d48df67fde6fc66)
Reviewed-on: https://go-review.googlesource.com/c/go/+/419814
Reviewed-by: Julie Qiu <julieqiu@google.com>
Diffstat (limited to 'src/math/big/floatmarsh.go')
-rw-r--r-- | src/math/big/floatmarsh.go | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/src/math/big/floatmarsh.go b/src/math/big/floatmarsh.go index d1c1dab069..990e085abe 100644 --- a/src/math/big/floatmarsh.go +++ b/src/math/big/floatmarsh.go @@ -8,6 +8,7 @@ package big import ( "encoding/binary" + "errors" "fmt" ) @@ -67,6 +68,9 @@ func (z *Float) GobDecode(buf []byte) error { *z = Float{} return nil } + if len(buf) < 6 { + return errors.New("Float.GobDecode: buffer too small") + } if buf[0] != floatGobVersion { return fmt.Errorf("Float.GobDecode: encoding version %d not supported", buf[0]) @@ -83,6 +87,9 @@ func (z *Float) GobDecode(buf []byte) error { z.prec = binary.BigEndian.Uint32(buf[2:]) if z.form == finite { + if len(buf) < 10 { + return errors.New("Float.GobDecode: buffer too small for finite form float") + } z.exp = int32(binary.BigEndian.Uint32(buf[6:])) z.mant = z.mant.setBytes(buf[10:]) } |