math/big: prevent overflow in (*Rat).SetString Credit to rsc@ for the original patch. Thanks to the OSS-Fuzz project for discovering this issue and to Emmanuel Odeke (@odeke_et) for reporting it. Fixes #50699 Fixes CVE-2022-23772 Change-Id: I590395a3d55689625390cf1e58f5f40623b26ee5 Reviewed-on: https://go-review.googlesource.com/c/go/+/379537 Trust: Katie Hockman <katie@golang.org> Run-TryBot: Katie Hockman <katie@golang.org> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Emmanuel Odeke <emmanuel@orijtech.com> Reviewed-by: Roland Shoemaker <roland@golang.org> Reviewed-by: Julie Qiu <julie@golang.org>
diff --git a/src/math/big/ratconv.go b/src/math/big/ratconv.go index ac3c8bd..90053a9 100644 --- a/src/math/big/ratconv.go +++ b/src/math/big/ratconv.go
@@ -169,6 +169,11 @@ n := exp5 if n < 0 { n = -n + if n < 0 { + // This can occur if -n overflows. -(-1 << 63) would become + // -1 << 63, which is still negative. + return nil, false + } } if n > 1e6 { return nil, false // avoid excessively large exponents
diff --git a/src/math/big/ratconv_test.go b/src/math/big/ratconv_test.go index 15d206c..e55e655 100644 --- a/src/math/big/ratconv_test.go +++ b/src/math/big/ratconv_test.go
@@ -104,6 +104,7 @@ {in: "4/3/"}, {in: "4/3."}, {in: "4/"}, + {in: "13e-9223372036854775808"}, // CVE-2022-23772 // valid {"0", "0", true},