GO-2021-0142

Source
https://pkg.go.dev/vuln/GO-2021-0142
Import Source
https://vuln.go.dev/ID/GO-2021-0142.json
JSON Data
https://api.osv.dev/v1/vulns/GO-2021-0142
Aliases
Published
2022-07-01T20:11:09Z
Modified
2024-05-20T16:03:47Z
Summary
Unbounded read from invalid inputs in encoding/binary
Details

ReadUvarint and ReadVarint can read an unlimited number of bytes from invalid inputs.

Certain invalid inputs to ReadUvarint or ReadVarint can cause these functions to read an unlimited number of bytes from the ByteReader parameter before returning an error. This can lead to processing more input than expected when the caller is reading directly from a network and depends on ReadUvarint or ReadVarint only consuming a small, bounded number of bytes, even from invalid inputs.

References
Credits
    • Diederik Loerakker
    • Jonny Rhea
    • Raúl Kripalani
    • Preston Van Loon

Affected packages

Go / stdlib

Package

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.13.15
Introduced
1.14.0-0
Fixed
1.14.7

Ecosystem specific

{
    "imports": [
        {
            "path": "encoding/binary",
            "symbols": [
                "ReadUvarint",
                "ReadVarint"
            ]
        }
    ]
}