1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
|
From c8866491ac424cdf39aedb325e6dec9e54418cfb Mon Sep 17 00:00:00 2001
From: Robert Griesemer <gri@golang.org>
Date: Sun, 2 May 2021 11:27:03 -0700
Subject: [PATCH] math/big: check for excessive exponents in Rat.SetString
CVE-2021-33198
Upstream-Status: Backport [https://github.com/golang/go/commit/df9ce19db6df32d94eae8760927bdfbc595433c3]
CVE: CVE-2021-33198
Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org>
Found by OSS-Fuzz https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=33284
Thanks to Emmanuel Odeke for reporting this issue.
Updates #45910
Fixes #46305
Fixes CVE-2021-33198
Change-Id: I61e7b04dbd80343420b57eede439e361c0f7b79c
Reviewed-on: https://go-review.googlesource.com/c/go/+/316149
Trust: Robert Griesemer <gri@golang.org>
Trust: Katie Hockman <katie@golang.org>
Run-TryBot: Robert Griesemer <gri@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Katie Hockman <katie@golang.org>
Reviewed-by: Emmanuel Odeke <emmanuel@orijtech.com>
(cherry picked from commit 6c591f79b0b5327549bd4e94970f7a279efb4ab0)
Reviewed-on: https://go-review.googlesource.com/c/go/+/321831
Run-TryBot: Katie Hockman <katie@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>
---
src/math/big/ratconv.go | 15 ++++++++-------
src/math/big/ratconv_test.go | 25 +++++++++++++++++++++++++
2 files changed, 33 insertions(+), 7 deletions(-)
diff --git a/src/math/big/ratconv.go b/src/math/big/ratconv.go
index e8cbdbe..90053a9 100644
--- a/src/math/big/ratconv.go
+++ b/src/math/big/ratconv.go
@@ -51,7 +51,8 @@ func (z *Rat) Scan(s fmt.ScanState, ch rune) error {
// An optional base-10 ``e'' or base-2 ``p'' (or their upper-case variants)
// exponent may be provided as well, except for hexadecimal floats which
// only accept an (optional) ``p'' exponent (because an ``e'' or ``E'' cannot
-// be distinguished from a mantissa digit).
+// be distinguished from a mantissa digit). If the exponent's absolute value
+// is too large, the operation may fail.
// The entire string, not just a prefix, must be valid for success. If the
// operation failed, the value of z is undefined but the returned value is nil.
func (z *Rat) SetString(s string) (*Rat, bool) {
@@ -174,6 +175,9 @@ func (z *Rat) SetString(s string) (*Rat, bool) {
return nil, false
}
}
+ if n > 1e6 {
+ return nil, false // avoid excessively large exponents
+ }
pow5 := z.b.abs.expNN(natFive, nat(nil).setWord(Word(n)), nil) // use underlying array of z.b.abs
if exp5 > 0 {
z.a.abs = z.a.abs.mul(z.a.abs, pow5)
@@ -186,15 +190,12 @@ func (z *Rat) SetString(s string) (*Rat, bool) {
}
// apply exp2 contributions
+ if exp2 < -1e7 || exp2 > 1e7 {
+ return nil, false // avoid excessively large exponents
+ }
if exp2 > 0 {
- if int64(uint(exp2)) != exp2 {
- panic("exponent too large")
- }
z.a.abs = z.a.abs.shl(z.a.abs, uint(exp2))
} else if exp2 < 0 {
- if int64(uint(-exp2)) != -exp2 {
- panic("exponent too large")
- }
z.b.abs = z.b.abs.shl(z.b.abs, uint(-exp2))
}
diff --git a/src/math/big/ratconv_test.go b/src/math/big/ratconv_test.go
index b820df4..e55e655 100644
--- a/src/math/big/ratconv_test.go
+++ b/src/math/big/ratconv_test.go
@@ -590,3 +590,28 @@ func TestIssue31184(t *testing.T) {
}
}
}
+
+func TestIssue45910(t *testing.T) {
+ var x Rat
+ for _, test := range []struct {
+ input string
+ want bool
+ }{
+ {"1e-1000001", false},
+ {"1e-1000000", true},
+ {"1e+1000000", true},
+ {"1e+1000001", false},
+
+ {"0p1000000000000", true},
+ {"1p-10000001", false},
+ {"1p-10000000", true},
+ {"1p+10000000", true},
+ {"1p+10000001", false},
+ {"1.770p02041010010011001001", false}, // test case from issue
+ } {
+ _, got := x.SetString(test.input)
+ if got != test.want {
+ t.Errorf("SetString(%s) got ok = %v; want %v", test.input, got, test.want)
+ }
+ }
+}
|