|
0 |
From: Ulrich Kunitz <ulikunitz@users.noreply.github.com>
|
|
1 |
Date: Wed, 19 Aug 2020 18:04:10 +0200
|
|
2 |
Subject: CVE-2021-29482
|
|
3 |
|
|
4 |
Origin: backport, https://github.com/ulikunitz/xz/commit/69c6093c7b2397b923acf82cb378f55ab2652b9b
|
|
5 |
---
|
|
6 |
bits.go | 7 ++++++-
|
|
7 |
bits_test.go | 11 +++++++++++
|
|
8 |
2 files changed, 17 insertions(+), 1 deletion(-)
|
|
9 |
|
|
10 |
diff --git a/bits.go b/bits.go
|
|
11 |
index fadc1a5..87d4623 100644
|
|
12 |
--- a/bits.go
|
|
13 |
+++ b/bits.go
|
|
14 |
@@ -54,6 +54,8 @@ var errOverflowU64 = errors.New("xz: uvarint overflows 64-bit unsigned integer")
|
|
15 |
|
|
16 |
// readUvarint reads a uvarint from the given byte reader.
|
|
17 |
func readUvarint(r io.ByteReader) (x uint64, n int, err error) {
|
|
18 |
+ const maxUvarintLen = 10
|
|
19 |
+
|
|
20 |
var s uint
|
|
21 |
i := 0
|
|
22 |
for {
|
|
23 |
@@ -62,8 +64,11 @@ func readUvarint(r io.ByteReader) (x uint64, n int, err error) {
|
|
24 |
return x, i, err
|
|
25 |
}
|
|
26 |
i++
|
|
27 |
+ if i > maxUvarintLen {
|
|
28 |
+ return x, i, errOverflowU64
|
|
29 |
+ }
|
|
30 |
if b < 0x80 {
|
|
31 |
- if i > 10 || i == 10 && b > 1 {
|
|
32 |
+ if i == maxUvarintLen && b > 1 {
|
|
33 |
return x, i, errOverflowU64
|
|
34 |
}
|
|
35 |
return x | uint64(b)<<s, i, nil
|
|
36 |
diff --git a/bits_test.go b/bits_test.go
|
|
37 |
index 68dac96..07ffc1f 100644
|
|
38 |
--- a/bits_test.go
|
|
39 |
+++ b/bits_test.go
|
|
40 |
@@ -31,3 +31,14 @@ func TestUvarint(t *testing.T) {
|
|
41 |
}
|
|
42 |
}
|
|
43 |
}
|
|
44 |
+
|
|
45 |
+func TestUvarIntCVE_2020_16845(t *testing.T) {
|
|
46 |
+ var a = []byte{0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
|
|
47 |
+ 0x88, 0x89, 0x8a, 0x8b}
|
|
48 |
+
|
|
49 |
+ r := bytes.NewReader(a)
|
|
50 |
+ _, _, err := readUvarint(r)
|
|
51 |
+ if err != errOverflowU64 {
|
|
52 |
+ t.Fatalf("readUvarint overflow not detected")
|
|
53 |
+ }
|
|
54 |
+}
|