GO-2021-0225

See a problem?
Please try reporting it to the source first.

Source

https://pkg.go.dev/vuln/GO-2021-0225

Import Source

https://vuln.go.dev/ID/GO-2021-0225.json

JSON Data

https://api.osv.dev/v1/vulns/GO-2021-0225

Withdrawn

2024-05-15T05:37:11.088754Z

Published

2022-01-13T03:44:52Z

Modified

2022-05-13T18:33:00Z

Summary

[none]

Details

Certain invalid inputs to ReadUvarint or ReadVarint could cause those functions to read an unlimited number of bytes from the ByteReader argument before returning an error. This could lead to processing more input than expected when the caller is reading directly from a network and depends on ReadUvarint and ReadVarint only consuming a small, bounded number of bytes, even from invalid inputs.

With the update, ReadUvarint and ReadVarint now always return after consuming a bounded number of bytes (specifically, MaxVarintLen64, which is 10). The result being returned has not changed; the functions merely detect and return some errors without reading as much input.

References

Affected packages

Go / encoding/binary

Package

Name: encoding/binary; View open source insights on deps.dev
Purl: pkg:golang/encoding/binary

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.13.15

Introduced

1.14.0

Fixed

1.14.7

Ecosystem specific

{
    "symbols": [
        "ReadUvarint"
    ]
}

Database specific

source

"https://vuln.go.dev/ID/GO-2021-0225.json"

url

"https://pkg.go.dev/vuln/GO-2021-0225"