0 | |
From: Ulrich Kunitz <ulikunitz@users.noreply.github.com>
|
1 | |
Date: Wed, 19 Aug 2020 18:04:10 +0200
|
2 | |
Subject: CVE-2021-29482
|
3 | |
|
4 | |
Origin: backport, https://github.com/ulikunitz/xz/commit/69c6093c7b2397b923acf82cb378f55ab2652b9b
|
5 | |
---
|
6 | |
bits.go | 7 ++++++-
|
7 | |
bits_test.go | 11 +++++++++++
|
8 | |
2 files changed, 17 insertions(+), 1 deletion(-)
|
9 | |
|
10 | |
diff --git a/bits.go b/bits.go
|
11 | |
index fadc1a5..87d4623 100644
|
12 | |
--- a/bits.go
|
13 | |
+++ b/bits.go
|
14 | |
@@ -54,6 +54,8 @@ var errOverflowU64 = errors.New("xz: uvarint overflows 64-bit unsigned integer")
|
15 | |
|
16 | |
// readUvarint reads a uvarint from the given byte reader.
|
17 | |
func readUvarint(r io.ByteReader) (x uint64, n int, err error) {
|
18 | |
+ const maxUvarintLen = 10
|
19 | |
+
|
20 | |
var s uint
|
21 | |
i := 0
|
22 | |
for {
|
23 | |
@@ -62,8 +64,11 @@ func readUvarint(r io.ByteReader) (x uint64, n int, err error) {
|
24 | |
return x, i, err
|
25 | |
}
|
26 | |
i++
|
27 | |
+ if i > maxUvarintLen {
|
28 | |
+ return x, i, errOverflowU64
|
29 | |
+ }
|
30 | |
if b < 0x80 {
|
31 | |
- if i > 10 || i == 10 && b > 1 {
|
32 | |
+ if i == maxUvarintLen && b > 1 {
|
33 | |
return x, i, errOverflowU64
|
34 | |
}
|
35 | |
return x | uint64(b)<<s, i, nil
|
36 | |
diff --git a/bits_test.go b/bits_test.go
|
37 | |
index 68dac96..07ffc1f 100644
|
38 | |
--- a/bits_test.go
|
39 | |
+++ b/bits_test.go
|
40 | |
@@ -31,3 +31,14 @@ func TestUvarint(t *testing.T) {
|
41 | |
}
|
42 | |
}
|
43 | |
}
|
44 | |
+
|
45 | |
+func TestUvarIntCVE_2020_16845(t *testing.T) {
|
46 | |
+ var a = []byte{0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
|
47 | |
+ 0x88, 0x89, 0x8a, 0x8b}
|
48 | |
+
|
49 | |
+ r := bytes.NewReader(a)
|
50 | |
+ _, _, err := readUvarint(r)
|
51 | |
+ if err != errOverflowU64 {
|
52 | |
+ t.Fatalf("readUvarint overflow not detected")
|
53 | |
+ }
|
54 | |
+}
|