math/big: prevent overflow in (*Rat).SetString Credit to rsc@ for the original patch. Thanks to the OSS-Fuzz project for discovering this issue and to Emmanuel Odeke (@odeke_et) for reporting it. Fixes #50699 Fixes CVE-2022-23772 Change-Id: I590395a3d55689625390cf1e58f5f40623b26ee5 Reviewed-on: https://go-review.googlesource.com/c/go/+/379537 Trust: Katie Hockman <katie@golang.org> Run-TryBot: Katie Hockman <katie@golang.org> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Emmanuel Odeke <emmanuel@orijtech.com> Reviewed-by: Roland Shoemaker <roland@golang.org> Reviewed-by: Julie Qiu <julie@golang.org>

commit: ad345c265916bbf6c646865e4642eafce6d39e78 [log] [tgz]
author: Katie Hockman <katie@golang.org> Wed Jan 19 16:54:41 2022 -0500
committer: Katie Hockman <katie@golang.org> Thu Jan 27 21:25:18 2022 +0000
tree: 80402c13271f9e871a2775bc38cf9c49dc99efcf
parent: f5fe5a4524d5e5390238ae7f5abcaa4299b31a37 [diff]
diff --git a/src/math/big/ratconv.go b/src/math/big/ratconv.go
index ac3c8bd..90053a9 100644
--- a/src/math/big/ratconv.go
+++ b/src/math/big/ratconv.go

@@ -169,6 +169,11 @@
 		n := exp5
 		if n < 0 {
 			n = -n
+			if n < 0 {
+				// This can occur if -n overflows. -(-1 << 63) would become
+				// -1 << 63, which is still negative.
+				return nil, false
+			}
 		}
 		if n > 1e6 {
 			return nil, false // avoid excessively large exponents

diff --git a/src/math/big/ratconv_test.go b/src/math/big/ratconv_test.go
index 15d206c..e55e655 100644
--- a/src/math/big/ratconv_test.go
+++ b/src/math/big/ratconv_test.go

@@ -104,6 +104,7 @@
 	{in: "4/3/"},
 	{in: "4/3."},
 	{in: "4/"},
+	{in: "13e-9223372036854775808"}, // CVE-2022-23772
 
 	// valid
 	{"0", "0", true},
commit	ad345c265916bbf6c646865e4642eafce6d39e78	[log] [tgz]
author	Katie Hockman <katie@golang.org>	Wed Jan 19 16:54:41 2022 -0500
committer	Katie Hockman <katie@golang.org>	Thu Jan 27 21:25:18 2022 +0000
tree	80402c13271f9e871a2775bc38cf9c49dc99efcf
parent	f5fe5a4524d5e5390238ae7f5abcaa4299b31a37 [diff]