GO-2021-0142

See a problem?

Source

https://pkg.go.dev/vuln/GO-2021-0142

Import Source

https://vuln.go.dev/ID/GO-2021-0142.json

JSON Data

https://api.osv.dev/v1/vulns/GO-2021-0142

Aliases

Published

2022-07-01T20:11:09Z

Modified

2024-05-20T16:03:47Z

Summary

Unbounded read from invalid inputs in encoding/binary

Details

ReadUvarint and ReadVarint can read an unlimited number of bytes from invalid inputs.

Certain invalid inputs to ReadUvarint or ReadVarint can cause these functions to read an unlimited number of bytes from the ByteReader parameter before returning an error. This can lead to processing more input than expected when the caller is reading directly from a network and depends on ReadUvarint or ReadVarint only consuming a small, bounded number of bytes, even from invalid inputs.

References

Credits

- Diederik Loerakker
- Jonny Rhea
- Raúl Kripalani
- Preston Van Loon

Affected packages

Go / stdlib

Package

Name: stdlib; View open source insights on deps.dev
Purl: pkg:golang/stdlib

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.13.15

Introduced

1.14.0-0

Fixed

1.14.7

Ecosystem specific

{
    "imports": [
        {
            "path": "encoding/binary",
            "symbols": [
                "ReadUvarint",
                "ReadVarint"
            ]
        }
    ]
}