From c683d278e2079b7df08a73f890ec1716fbbf5808 Mon Sep 17 00:00:00 2001
From: hanchao <hanchao47@huawei.com>
Date: Mon, 8 Aug 2022 17:50:49 +0800
Subject: [PATCH] golang: fix CVE-2022-32189

Score: 6.5
Reference: https://go-review.googlesource.com/c/go/+/419814
Conflict: NA
Reason: fix CVE-2022-32189
---
 ...o1.17-math-big-check-buffer-lengths-.patch | 129 ++++++++++++++++++
 golang.spec                                   |   6 +-
 2 files changed, 134 insertions(+), 1 deletion(-)
 create mode 100644 0074-release-branch.go1.17-math-big-check-buffer-lengths-.patch

diff --git a/0074-release-branch.go1.17-math-big-check-buffer-lengths-.patch b/0074-release-branch.go1.17-math-big-check-buffer-lengths-.patch
new file mode 100644
index 0000000..abaa9a1
--- /dev/null
+++ b/0074-release-branch.go1.17-math-big-check-buffer-lengths-.patch
@@ -0,0 +1,129 @@
+From 490df635ab990bcc5796cf5765c74675503d9964 Mon Sep 17 00:00:00 2001
+From: Roland Shoemaker <roland@golang.org>
+Date: Fri, 15 Jul 2022 10:43:44 -0700
+Subject: [PATCH] [release-branch.go1.17] math/big: check buffer lengths in
+ GobDecode
+
+In Float.GobDecode and Rat.GobDecode, check buffer sizes before
+indexing slices.
+
+Updates #53871
+Fixes #54094
+
+Change-Id: I1b652c32c2bc7a0e8aa7620f7be9b2740c568b0a
+Reviewed-on: https://go-review.googlesource.com/c/go/+/417774
+TryBot-Result: Gopher Robot <gobot@golang.org>
+Reviewed-by: Tatiana Bradley <tatiana@golang.org>
+Run-TryBot: Roland Shoemaker <roland@golang.org>
+(cherry picked from commit 055113ef364337607e3e72ed7d48df67fde6fc66)
+Reviewed-on: https://go-review.googlesource.com/c/go/+/419814
+Reviewed-by: Julie Qiu <julieqiu@google.com>
+
+Conflict:NA
+Reference:https://go-review.googlesource.com/c/go/+/419814
+
+---
+ src/math/big/floatmarsh.go      |  7 +++++++
+ src/math/big/floatmarsh_test.go | 12 ++++++++++++
+ src/math/big/ratmarsh.go        |  6 ++++++
+ src/math/big/ratmarsh_test.go   | 12 ++++++++++++
+ 4 files changed, 37 insertions(+)
+
+diff --git a/src/math/big/floatmarsh.go b/src/math/big/floatmarsh.go
+index d1c1dab069..990e085abe 100644
+--- a/src/math/big/floatmarsh.go
++++ b/src/math/big/floatmarsh.go
+@@ -8,6 +8,7 @@ package big
+ 
+ import (
+ 	"encoding/binary"
++	"errors"
+ 	"fmt"
+ )
+ 
+@@ -67,6 +68,9 @@ func (z *Float) GobDecode(buf []byte) error {
+ 		*z = Float{}
+ 		return nil
+ 	}
++	if len(buf) < 6 {
++		return errors.New("Float.GobDecode: buffer too small")
++	}
+ 
+ 	if buf[0] != floatGobVersion {
+ 		return fmt.Errorf("Float.GobDecode: encoding version %d not supported", buf[0])
+@@ -83,6 +87,9 @@ func (z *Float) GobDecode(buf []byte) error {
+ 	z.prec = binary.BigEndian.Uint32(buf[2:])
+ 
+ 	if z.form == finite {
++		if len(buf) < 10 {
++			return errors.New("Float.GobDecode: buffer too small for finite form float")
++		}
+ 		z.exp = int32(binary.BigEndian.Uint32(buf[6:]))
+ 		z.mant = z.mant.setBytes(buf[10:])
+ 	}
+diff --git a/src/math/big/floatmarsh_test.go b/src/math/big/floatmarsh_test.go
+index c056d78b80..401f45a51f 100644
+--- a/src/math/big/floatmarsh_test.go
++++ b/src/math/big/floatmarsh_test.go
+@@ -137,3 +137,15 @@ func TestFloatJSONEncoding(t *testing.T) {
+ 		}
+ 	}
+ }
++
++func TestFloatGobDecodeShortBuffer(t *testing.T) {
++	for _, tc := range [][]byte{
++		[]byte{0x1, 0x0, 0x0, 0x0},
++		[]byte{0x1, 0xfa, 0x0, 0x0, 0x0, 0x0},
++	} {
++		err := NewFloat(0).GobDecode(tc)
++		if err == nil {
++			t.Error("expected GobDecode to return error for malformed input")
++		}
++	}
++}
+diff --git a/src/math/big/ratmarsh.go b/src/math/big/ratmarsh.go
+index fbc7b6002d..56102e845b 100644
+--- a/src/math/big/ratmarsh.go
++++ b/src/math/big/ratmarsh.go
+@@ -45,12 +45,18 @@ func (z *Rat) GobDecode(buf []byte) error {
+ 		*z = Rat{}
+ 		return nil
+ 	}
++	if len(buf) < 5 {
++		return errors.New("Rat.GobDecode: buffer too small")
++	}
+ 	b := buf[0]
+ 	if b>>1 != ratGobVersion {
+ 		return fmt.Errorf("Rat.GobDecode: encoding version %d not supported", b>>1)
+ 	}
+ 	const j = 1 + 4
+ 	i := j + binary.BigEndian.Uint32(buf[j-4:j])
++	if len(buf) < int(i) {
++		return errors.New("Rat.GobDecode: buffer too small")
++	}
+ 	z.a.neg = b&1 != 0
+ 	z.a.abs = z.a.abs.setBytes(buf[j:i])
+ 	z.b.abs = z.b.abs.setBytes(buf[i:])
+diff --git a/src/math/big/ratmarsh_test.go b/src/math/big/ratmarsh_test.go
+index 351d109f8d..55a9878bb8 100644
+--- a/src/math/big/ratmarsh_test.go
++++ b/src/math/big/ratmarsh_test.go
+@@ -123,3 +123,15 @@ func TestRatXMLEncoding(t *testing.T) {
+ 		}
+ 	}
+ }
++
++func TestRatGobDecodeShortBuffer(t *testing.T) {
++	for _, tc := range [][]byte{
++		[]byte{0x2},
++		[]byte{0x2, 0x0, 0x0, 0x0, 0xff},
++	} {
++		err := NewRat(1, 2).GobDecode(tc)
++		if err == nil {
++			t.Error("expected GobDecode to return error for malformed input")
++		}
++	}
++}
+-- 
+2.30.2
+
diff --git a/golang.spec b/golang.spec
index 77f7016..2f8fc90 100644
--- a/golang.spec
+++ b/golang.spec
@@ -62,7 +62,7 @@
 
 Name:           golang
 Version:        1.15.7
-Release:        14
+Release:        15
 Summary:        The Go Programming Language
 License:        BSD and Public Domain
 URL:            https://golang.org/
@@ -219,6 +219,7 @@ Patch6070:	0070-release-branch.go1.17-encoding-xml-use-iterative-Ski.patch
 Patch6071:	0071-release-branch.go1.17-compress-gzip-fix-stack-exhaus.patch
 Patch6072:	0072-release-branch.go1.17-crypto-tls-randomly-generate-t.patch
 Patch6073:	0073-release-branch.go1.17-crypto-rand-properly-handle-la.patch
+Patch6074:	0074-release-branch.go1.17-math-big-check-buffer-lengths-.patch
 
 
 Patch9001:       0001-drop-hard-code-cert.patch
@@ -454,6 +455,9 @@ fi
 
 %changelog
 
+* Mon Aug 8 2022 hanchao<hanchao47@huawei.com> - 1.15.7-15
+- fix CVE-2022-32189
+
 * Thu Jul 26 2022 hanchao<hanchao47@huawei.com> - 1.15.7-14
 - fix CVE-2022-32148,CVE-2022-1962,CVE-2022-1705,CVE-2022-30633,
   CVE-2022-30635,CVE-2022-30632,CVE-2022-28131,
-- 
Gitee