x/crypto/cryptobyte: slice bounds out of range with Unwrite #57112
Description
What version of Go are you using (go version)?
$ go version go version go1.19 linux/amd64
Does this issue reproduce with the latest release?
Yes
What operating system and processor architecture are you using (go env)?
go env Output
$ go env GO111MODULE="" GOARCH="amd64" GOBIN="" GOCACHE="/root/.cache/go-build" GOENV="/root/.config/go/env" GOEXE="" GOEXPERIMENT="" GOFLAGS="" GOHOSTARCH="amd64" GOHOSTOS="linux" GOINSECURE="" GOMODCACHE="/root/go/pkg/mod" GONOPROXY="" GONOSUMDB="" GOOS="linux" GOPATH="/root/go" GOPRIVATE="" GOPROXY="https://proxy.golang.org,direct" GOROOT="/root/.go" GOSUMDB="sum.golang.org" GOTMPDIR="" GOTOOLDIR="/root/.go/pkg/tool/linux_amd64" GOVCS="" GOVERSION="go1.19" GCCGO="gccgo" GOAMD64="v1" AR="ar" CC="clang" CXX="clang++" CGO_ENABLED="1" GOMOD="/src/ngolo-fuzzing/go.mod" GOWORK="" CGO_CFLAGS="-g -O2" CGO_CPPFLAGS="" CGO_CXXFLAGS="-g -O2" CGO_FFLAGS="-g -O2" CGO_LDFLAGS="-g -O2" PKG_CONFIG="pkg-config" GOGCCFLAGS="-fPIC -m64 -pthread -fno-caret-diagnostics -Qunused-arguments -Wl,--no-gc-sections -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build2481516251=/tmp/go-build -gno-record-gcc-switches"
What did you do?
Run https://go.dev/play/p/FlmHh9L0Ef1
What did you expect to see?
The program finishing and printing Hello
What did you see instead?
panic: runtime error: slice bounds out of range [:5404319552844595201] with capacity 1
goroutine 1 [running]:
golang.org/x/crypto/cryptobyte.(*Builder).Unwrite(...)
/tmp/gopath2977946317/pkg/mod/golang.org/x/[email protected]/cryptobyte/builder.go:323
main.main()
/tmp/sandbox3386522376/prog.go:13 +0x9f
Program exited.
Found by https://github.com/catenacyber/ngolo-fuzzing with oss-fuzz :
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=53734
I guess the fix is to explicitly panic with a string if n < 0