| module: std |
| package: encoding/binary |
| versions: |
| - fixed: go1.13.15 |
| - fixed: go1.14.7 |
| description: | |
| Certain invalid inputs to ReadUvarint or ReadVarint could cause those |
| functions to read an unlimited number of bytes from the ByteReader argument |
| before returning an error. This could lead to processing more input than |
| expected when the caller is reading directly from a network and depends on |
| ReadUvarint and ReadVarint only consuming a small, bounded number of bytes, |
| even from invalid inputs. |
| |
| With the update, ReadUvarint and ReadVarint now always return after consuming |
| a bounded number of bytes (specifically, MaxVarintLen64, which is 10). The |
| result being returned has not changed; the functions merely detect and return |
| some errors without reading as much input. |
| cves: |
| - CVE-2020-16845 |
| credit: Diederik Loerakker, Jonny Rhea, Raúl Kripalani, and Preston Van Loon |
| symbols: |
| - ReadUvarint |
| links: |
| pr: https://go.dev/cl/247120 |
| commit: https://go.googlesource.com/go/+/027d7241ce050d197e7fabea3d541ffbe3487258 |
| context: |
| - https://go.dev/issue/40618 |
| - https://groups.google.com/g/golang-announce/c/NyPIaucMgXo |
