Codebase list golang-github-ulikunitz-xz / 820a627
Backport patch for CVE-2021-29482 Fixes readUvarint denial of service (Closes: #988243) Shengjing Zhu 2 years ago
2 changed file(s) with 56 addition(s) and 0 deletion(s). Raw diff Collapse all Expand all
0 From: Ulrich Kunitz <ulikunitz@users.noreply.github.com>
1 Date: Wed, 19 Aug 2020 18:04:10 +0200
2 Subject: CVE-2021-29482
3
4 Origin: backport, https://github.com/ulikunitz/xz/commit/69c6093c7b2397b923acf82cb378f55ab2652b9b
5 ---
6 bits.go | 7 ++++++-
7 bits_test.go | 11 +++++++++++
8 2 files changed, 17 insertions(+), 1 deletion(-)
9
10 diff --git a/bits.go b/bits.go
11 index fadc1a5..87d4623 100644
12 --- a/bits.go
13 +++ b/bits.go
14 @@ -54,6 +54,8 @@ var errOverflowU64 = errors.New("xz: uvarint overflows 64-bit unsigned integer")
15
16 // readUvarint reads a uvarint from the given byte reader.
17 func readUvarint(r io.ByteReader) (x uint64, n int, err error) {
18 + const maxUvarintLen = 10
19 +
20 var s uint
21 i := 0
22 for {
23 @@ -62,8 +64,11 @@ func readUvarint(r io.ByteReader) (x uint64, n int, err error) {
24 return x, i, err
25 }
26 i++
27 + if i > maxUvarintLen {
28 + return x, i, errOverflowU64
29 + }
30 if b < 0x80 {
31 - if i > 10 || i == 10 && b > 1 {
32 + if i == maxUvarintLen && b > 1 {
33 return x, i, errOverflowU64
34 }
35 return x | uint64(b)<<s, i, nil
36 diff --git a/bits_test.go b/bits_test.go
37 index 68dac96..07ffc1f 100644
38 --- a/bits_test.go
39 +++ b/bits_test.go
40 @@ -31,3 +31,14 @@ func TestUvarint(t *testing.T) {
41 }
42 }
43 }
44 +
45 +func TestUvarIntCVE_2020_16845(t *testing.T) {
46 + var a = []byte{0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
47 + 0x88, 0x89, 0x8a, 0x8b}
48 +
49 + r := bytes.NewReader(a)
50 + _, _, err := readUvarint(r)
51 + if err != errOverflowU64 {
52 + t.Fatalf("readUvarint overflow not detected")
53 + }
54 +}
0 0001-CVE-2021-29482.patch