From d9cd9f38d955e4b98971cc2247b1e5397da7821c Mon Sep 17 00:00:00 2001
From: hanchao <hanchao47@huawei.com>
Date: Mon, 8 Aug 2022 17:26:39 +0800
Subject: [PATCH] golang: fix CVE-2022-32189

Score: 6.5
Reference: https://go-review.googlesource.com/c/go/+/419814
Conflict: NA
Reason: fix CVE-2022-32189
---
 ...o1.17-math-big-check-buffer-lengths-.patch | 125 ++++++++++++++++++
 golang.spec                                   |   9 +-
 2 files changed, 133 insertions(+), 1 deletion(-)
 create mode 100644 0016-release-branch.go1.17-math-big-check-buffer-lengths-.patch

diff --git a/0016-release-branch.go1.17-math-big-check-buffer-lengths-.patch b/0016-release-branch.go1.17-math-big-check-buffer-lengths-.patch
new file mode 100644
index 0000000..78f8090
--- /dev/null
+++ b/0016-release-branch.go1.17-math-big-check-buffer-lengths-.patch
@@ -0,0 +1,125 @@
+From dc903a8196a831d23e9b6504239e09a9e6bcd98a Mon Sep 17 00:00:00 2001
+From: Roland Shoemaker <roland@golang.org>
+Date: Fri, 15 Jul 2022 10:43:44 -0700
+Subject: [PATCH] [release-branch.go1.17] math/big: check buffer lengths in
+ GobDecode
+
+In Float.GobDecode and Rat.GobDecode, check buffer sizes before
+indexing slices.
+
+Updates #53871
+Fixes #54094
+
+Change-Id: I1b652c32c2bc7a0e8aa7620f7be9b2740c568b0a
+Reviewed-on: https://go-review.googlesource.com/c/go/+/417774
+TryBot-Result: Gopher Robot <gobot@golang.org>
+Reviewed-by: Tatiana Bradley <tatiana@golang.org>
+Run-TryBot: Roland Shoemaker <roland@golang.org>
+(cherry picked from commit 055113ef364337607e3e72ed7d48df67fde6fc66)
+Reviewed-on: https://go-review.googlesource.com/c/go/+/419814
+Reviewed-by: Julie Qiu <julieqiu@google.com>
+---
+ src/math/big/floatmarsh.go      |  7 +++++++
+ src/math/big/floatmarsh_test.go | 12 ++++++++++++
+ src/math/big/ratmarsh.go        |  6 ++++++
+ src/math/big/ratmarsh_test.go   | 12 ++++++++++++
+ 4 files changed, 37 insertions(+)
+
+diff --git a/src/math/big/floatmarsh.go b/src/math/big/floatmarsh.go
+index d1c1dab069..990e085abe 100644
+--- a/src/math/big/floatmarsh.go
++++ b/src/math/big/floatmarsh.go
+@@ -8,6 +8,7 @@ package big
+ 
+ import (
+ 	"encoding/binary"
++	"errors"
+ 	"fmt"
+ )
+ 
+@@ -67,6 +68,9 @@ func (z *Float) GobDecode(buf []byte) error {
+ 		*z = Float{}
+ 		return nil
+ 	}
++	if len(buf) < 6 {
++		return errors.New("Float.GobDecode: buffer too small")
++	}
+ 
+ 	if buf[0] != floatGobVersion {
+ 		return fmt.Errorf("Float.GobDecode: encoding version %d not supported", buf[0])
+@@ -83,6 +87,9 @@ func (z *Float) GobDecode(buf []byte) error {
+ 	z.prec = binary.BigEndian.Uint32(buf[2:])
+ 
+ 	if z.form == finite {
++		if len(buf) < 10 {
++			return errors.New("Float.GobDecode: buffer too small for finite form float")
++		}
+ 		z.exp = int32(binary.BigEndian.Uint32(buf[6:]))
+ 		z.mant = z.mant.setBytes(buf[10:])
+ 	}
+diff --git a/src/math/big/floatmarsh_test.go b/src/math/big/floatmarsh_test.go
+index c056d78b80..401f45a51f 100644
+--- a/src/math/big/floatmarsh_test.go
++++ b/src/math/big/floatmarsh_test.go
+@@ -137,3 +137,15 @@ func TestFloatJSONEncoding(t *testing.T) {
+ 		}
+ 	}
+ }
++
++func TestFloatGobDecodeShortBuffer(t *testing.T) {
++	for _, tc := range [][]byte{
++		[]byte{0x1, 0x0, 0x0, 0x0},
++		[]byte{0x1, 0xfa, 0x0, 0x0, 0x0, 0x0},
++	} {
++		err := NewFloat(0).GobDecode(tc)
++		if err == nil {
++			t.Error("expected GobDecode to return error for malformed input")
++		}
++	}
++}
+diff --git a/src/math/big/ratmarsh.go b/src/math/big/ratmarsh.go
+index fbc7b6002d..56102e845b 100644
+--- a/src/math/big/ratmarsh.go
++++ b/src/math/big/ratmarsh.go
+@@ -45,12 +45,18 @@ func (z *Rat) GobDecode(buf []byte) error {
+ 		*z = Rat{}
+ 		return nil
+ 	}
++	if len(buf) < 5 {
++		return errors.New("Rat.GobDecode: buffer too small")
++	}
+ 	b := buf[0]
+ 	if b>>1 != ratGobVersion {
+ 		return fmt.Errorf("Rat.GobDecode: encoding version %d not supported", b>>1)
+ 	}
+ 	const j = 1 + 4
+ 	i := j + binary.BigEndian.Uint32(buf[j-4:j])
++	if len(buf) < int(i) {
++		return errors.New("Rat.GobDecode: buffer too small")
++	}
+ 	z.a.neg = b&1 != 0
+ 	z.a.abs = z.a.abs.setBytes(buf[j:i])
+ 	z.b.abs = z.b.abs.setBytes(buf[i:])
+diff --git a/src/math/big/ratmarsh_test.go b/src/math/big/ratmarsh_test.go
+index 351d109f8d..55a9878bb8 100644
+--- a/src/math/big/ratmarsh_test.go
++++ b/src/math/big/ratmarsh_test.go
+@@ -123,3 +123,15 @@ func TestRatXMLEncoding(t *testing.T) {
+ 		}
+ 	}
+ }
++
++func TestRatGobDecodeShortBuffer(t *testing.T) {
++	for _, tc := range [][]byte{
++		[]byte{0x2},
++		[]byte{0x2, 0x0, 0x0, 0x0, 0xff},
++	} {
++		err := NewRat(1, 2).GobDecode(tc)
++		if err == nil {
++			t.Error("expected GobDecode to return error for malformed input")
++		}
++	}
++}
+-- 
+2.30.2
+
diff --git a/golang.spec b/golang.spec
index 173442a..943a4ff 100644
--- a/golang.spec
+++ b/golang.spec
@@ -66,7 +66,7 @@
 
 Name:           golang
 Version:        1.17.3
-Release:        5
+Release:        6
 Summary:        The Go Programming Language
 License:        BSD and Public Domain
 URL:            https://golang.org/
@@ -168,6 +168,7 @@ Patch6012:	0012-release-branch.go1.17-encoding-xml-use-iterative-Ski.patch
 Patch6013:	0013-release-branch.go1.17-compress-gzip-fix-stack-exhaus.patch
 Patch6014:	0014-release-branch.go1.17-crypto-tls-randomly-generate-t.patch
 Patch6015:	0015-release-branch.go1.17-crypto-rand-properly-handle-la.patch
+Patch6016:	0016-release-branch.go1.17-math-big-check-buffer-lengths-.patch
 
 ExclusiveArch:  %{golang_arches}
 
@@ -402,6 +403,12 @@ fi
 %files devel -f go-tests.list -f go-misc.list -f go-src.list
 
 %changelog
+* Mon Aug 8 2022 hanchao <hanchao47@huawei.com> - 1.17.3-6
+- Type:CVE
+- CVE:NA
+- SUG:NA
+- DESC: fix CVE-2022-32189
+
 * Tue Jul 26 2022 hanchao <hanchao47@huawei.com> - 1.17.3-5
 - Type:CVE
 - CVE:NA
-- 
Gitee