internal/impl: catch varint overflow in validator Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20477 Change-Id: I6afe82e3818f8b4e9cf5eded2125317eae8be49d Reviewed-on: https://go-review.googlesource.com/c/protobuf/+/217309 Reviewed-by: Joe Tsai <thebrokentoaster@gmail.com>

commit: 4d918167a9bc88cc4e0075853bdc776683c0d043 [log] [tgz]
author: Damien Neil <dneil@google.com> Sat Feb 01 10:39:11 2020 -0800
committer: Damien Neil <dneil@google.com> Mon Feb 03 18:21:31 2020 +0000
tree: 622a869cb5c247ba7c5ac4b90cb33e1736d4ad6d
parent: 74b1460c5b521ae9e54fe8e558a34017bd66d584 [diff] [blame]
diff --git a/internal/impl/validate.go b/internal/impl/validate.go
index bf5f60d..eab8ec0 100644
--- a/internal/impl/validate.go
+++ b/internal/impl/validate.go

@@ -360,7 +360,7 @@
 
 			switch wtyp {
 			case wire.VarintType:
-				if len(b) >= 10 {
+				if len(b) >= 9 {
 					switch {
 					case b[0] < 0x80:
 						b = b[1:]
@@ -380,7 +380,7 @@
 						b = b[8:]
 					case b[8] < 0x80:
 						b = b[9:]
-					case b[9] < 0x80:
+					case b[9] < 0x80 && b[9] < 2:
 						b = b[10:]
 					default:
 						return ValidationInvalid
@@ -405,7 +405,7 @@
 						b = b[8:]
 					case len(b) > 8 && b[8] < 0x80:
 						b = b[9:]
-					case len(b) > 9 && b[9] < 0x80:
+					case len(b) > 9 && b[9] < 2:
 						b = b[10:]
 					default:
 						return ValidationInvalid
commit	4d918167a9bc88cc4e0075853bdc776683c0d043	[log] [tgz]
author	Damien Neil <dneil@google.com>	Sat Feb 01 10:39:11 2020 -0800
committer	Damien Neil <dneil@google.com>	Mon Feb 03 18:21:31 2020 +0000
tree	622a869cb5c247ba7c5ac4b90cb33e1736d4ad6d
parent	74b1460c5b521ae9e54fe8e558a34017bd66d584 [diff] [blame]