| id: GO-2021-0142 |
| modules: |
| - module: std |
| versions: |
| - fixed: 1.13.15 |
| - introduced: 1.14.0-0 |
| - fixed: 1.14.7 |
| vulnerable_at: 1.14.6 |
| packages: |
| - package: encoding/binary |
| symbols: |
| - ReadUvarint |
| - ReadVarint |
| summary: Unbounded read from invalid inputs in encoding/binary |
| description: |- |
| ReadUvarint and ReadVarint can read an unlimited number of bytes from invalid |
| inputs. |
| |
| Certain invalid inputs to ReadUvarint or ReadVarint can cause these functions to |
| read an unlimited number of bytes from the ByteReader parameter before returning |
| an error. This can lead to processing more input than expected when the caller |
| is reading directly from a network and depends on ReadUvarint or ReadVarint only |
| consuming a small, bounded number of bytes, even from invalid inputs. |
| published: 2022-07-01T20:11:09Z |
| cves: |
| - CVE-2020-16845 |
| ghsas: |
| - GHSA-q6gq-997w-f55g |
| credits: |
| - Diederik Loerakker |
| - Jonny Rhea |
| - Raúl Kripalani |
| - Preston Van Loon |
| references: |
| - fix: https://go.dev/cl/247120 |
| - fix: https://go.googlesource.com/go/+/027d7241ce050d197e7fabea3d541ffbe3487258 |
| - report: https://go.dev/issue/40618 |
| - web: https://groups.google.com/g/golang-announce/c/NyPIaucMgXo |
| review_status: REVIEWED |