Skip to content

encoding/xml: infinite loop when using xml.NewTokenDecoder with a custom TokenReader [Go 1.15] #44914

New issue
New issue
Closed
Closed
encoding/xml: infinite loop when using xml.NewTokenDecoder with a custom TokenReader [Go 1.15]#44914
Labels
CherryPickApprovedUsed during the release process for point releasesFrozenDueToAgeSecurity
Milestone
 
Go1.15.9
@katiehockman

Description

@katiehockman
katiehockman
opened on Mar 10, 2021

The Decode, DecodeElement, and Skip methods of an xml.Decoder provided by xml.NewTokenDecoder may enter an infinite loop when operating on a custom xml.TokenReader which returns an EOF in the middle of an open XML element.

Thanks to Sam Whited for reporting this issue.
This issue is CVE-2021-27918.

Metadata

Metadata

Assignees

No one assigned

    Labels

    CherryPickApprovedUsed during the release process for point releasesFrozenDueToAgeSecurity

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions