dgit.raspbian.org Git - golang-1.15.git/commit

author	Roland Shoemaker <roland@golang.org>
	Tue, 11 May 2021 18:31:31 +0000 (11:31 -0700)
committer	Shengjing Zhu <zhsj@debian.org>
	Tue, 13 Jul 2021 05:55:42 +0000 (06:55 +0100)
commit	bbc037f0323544b0cbe384c45022675e0a006e80
tree	78908249f5a98fbd025f56335c232d2c3aada99e	tree \| snapshot
parent	ebf735a5ced2d1a5fd1d6324617e61c20f742bf6	commit \| diff

archive/zip: only preallocate File slice if reasonably sized

Since the number of files in the EOCD record isn't validated, it isn't
safe to preallocate Reader.Files using that field. A malformed archive
can indicate it contains up to 1 << 128 - 1 files. We can still safely
preallocate the slice by checking if the specified number of files in
the archive is reasonable, given the size of the archive.

Thanks to the OSS-Fuzz project for discovering this issue and to
Emmanuel Odeke for reporting it.

Updates #46242
Fixes #46396
Fixes CVE-2021-33196

Change-Id: I3c76d8eec178468b380d87fdb4a3f2cb06f0ee76
Reviewed-on: https://go-review.googlesource.com/c/go/+/318909
Trust: Roland Shoemaker <roland@golang.org>
Trust: Katie Hockman <katie@golang.org>
Trust: Joe Tsai <thebrokentoaster@gmail.com>
Run-TryBot: Roland Shoemaker <roland@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Katie Hockman <katie@golang.org>
Reviewed-by: Joe Tsai <thebrokentoaster@gmail.com>
(cherry picked from commit 74242baa4136c7a9132a8ccd9881354442788c8c)
Reviewed-on: https://go-review.googlesource.com/c/go/+/322949
Reviewed-by: Filippo Valsorda <filippo@golang.org>
Origin: backport, https://github.com/golang/go/commit/c92adf420a3d9a5510f9aea382d826f0c9216a10

Gbp-Pq: Name 0008-CVE-2021-33196.patch

src/archive/zip/reader.go		diff \| blob \| history
src/archive/zip/reader_test.go		diff \| blob \| history