math/big: check buffer lengths in GobDecode

rolandshoemaker · rolandshoemaker · commit 055113ef3643 · 2022-07-27T18:31:51.000Z
In Float.GobDecode and Rat.GobDecode, check buffer sizes before indexing slices. Fixes #53871 Change-Id: I1b652c32c2bc7a0e8aa7620f7be9b2740c568b0a Reviewed-on: https://go-review.googlesource.com/c/go/+/417774 TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Tatiana Bradley <tatiana@golang.org> Run-TryBot: Roland Shoemaker <roland@golang.org>
diff --git a/src/math/big/floatmarsh.go b/src/math/big/floatmarsh.go
@@ -8,6 +8,7 @@ package big
 
 import (
 	"encoding/binary"
+	"errors"
 	"fmt"
 )
 
@@ -67,6 +68,9 @@ func (z *Float) GobDecode(buf []byte) error {
 		*z = Float{}
 		return nil
 	}
+	if len(buf) < 6 {
+		return errors.New("Float.GobDecode: buffer too small")
+	}
 
 	if buf[0] != floatGobVersion {
 		return fmt.Errorf("Float.GobDecode: encoding version %d not supported", buf[0])
@@ -83,6 +87,9 @@ func (z *Float) GobDecode(buf []byte) error {
 	z.prec = binary.BigEndian.Uint32(buf[2:])
 
 	if z.form == finite {
+		if len(buf) < 10 {
+			return errors.New("Float.GobDecode: buffer too small for finite form float")
+		}
 		z.exp = int32(binary.BigEndian.Uint32(buf[6:]))
 		z.mant = z.mant.setBytes(buf[10:])
 	}
diff --git a/src/math/big/floatmarsh_test.go b/src/math/big/floatmarsh_test.go
@@ -137,3 +137,15 @@ func TestFloatJSONEncoding(t *testing.T) {
 		}
 	}
 }
+
+func TestFloatGobDecodeShortBuffer(t *testing.T) {
+	for _, tc := range [][]byte{
+		[]byte{0x1, 0x0, 0x0, 0x0},
+		[]byte{0x1, 0xfa, 0x0, 0x0, 0x0, 0x0},
+	} {
+		err := NewFloat(0).GobDecode(tc)
+		if err == nil {
+			t.Error("expected GobDecode to return error for malformed input")
+		}
+	}
+}
diff --git a/src/math/big/ratmarsh.go b/src/math/big/ratmarsh.go
@@ -45,12 +45,18 @@ func (z *Rat) GobDecode(buf []byte) error {
 		*z = Rat{}
 		return nil
 	}
+	if len(buf) < 5 {
+		return errors.New("Rat.GobDecode: buffer too small")
+	}
 	b := buf[0]
 	if b>>1 != ratGobVersion {
 		return fmt.Errorf("Rat.GobDecode: encoding version %d not supported", b>>1)
 	}
 	const j = 1 + 4
 	i := j + binary.BigEndian.Uint32(buf[j-4:j])
+	if len(buf) < int(i) {
+		return errors.New("Rat.GobDecode: buffer too small")
+	}
 	z.a.neg = b&1 != 0
 	z.a.abs = z.a.abs.setBytes(buf[j:i])
 	z.b.abs = z.b.abs.setBytes(buf[i:])
diff --git a/src/math/big/ratmarsh_test.go b/src/math/big/ratmarsh_test.go
@@ -123,3 +123,15 @@ func TestRatXMLEncoding(t *testing.T) {
 		}
 	}
 }
+
+func TestRatGobDecodeShortBuffer(t *testing.T) {
+	for _, tc := range [][]byte{
+		[]byte{0x2},
+		[]byte{0x2, 0x0, 0x0, 0x0, 0xff},
+	} {
+		err := NewRat(1, 2).GobDecode(tc)
+		if err == nil {
+			t.Error("expected GobDecode to return error for malformed input")
+		}
+	}
+}

Original file line number	Diff line number	Diff line change
`@@ -137,3 +137,15 @@ func TestFloatJSONEncoding(t *testing.T) {`
`137`	`137`	`}`
`138`	`138`	`}`
`139`	`139`	`}`
	`140`	`+`
	`141`	`+func TestFloatGobDecodeShortBuffer(t *testing.T) {`
	`142`	`+ for _, tc := range [][]byte{`
	`143`	`+ []byte{0x1, 0x0, 0x0, 0x0},`
	`144`	`+ []byte{0x1, 0xfa, 0x0, 0x0, 0x0, 0x0},`
	`145`	`+ } {`
	`146`	`+ err := NewFloat(0).GobDecode(tc)`
	`147`	`+ if err == nil {`
	`148`	`+ t.Error("expected GobDecode to return error for malformed input")`
	`149`	`+ }`
	`150`	`+ }`
	`151`	`+}`
Original file line number	Diff line number	Diff line change
`@@ -123,3 +123,15 @@ func TestRatXMLEncoding(t *testing.T) {`
`123`	`123`	`}`
`124`	`124`	`}`
`125`	`125`	`}`
	`126`	`+`
	`127`	`+func TestRatGobDecodeShortBuffer(t *testing.T) {`
	`128`	`+ for _, tc := range [][]byte{`
	`129`	`+ []byte{0x2},`
	`130`	`+ []byte{0x2, 0x0, 0x0, 0x0, 0xff},`
	`131`	`+ } {`
	`132`	`+ err := NewRat(1, 2).GobDecode(tc)`
	`133`	`+ if err == nil {`
	`134`	`+ t.Error("expected GobDecode to return error for malformed input")`
	`135`	`+ }`
	`136`	`+ }`
	`137`	`+}`