From 34ebafb8b65cef86fdda9bef64bc33e968e0d319 Mon Sep 17 00:00:00 2001 From: Michael Eischer Date: Fri, 20 Aug 2021 16:16:45 +0200 Subject: [PATCH] repository: don't crash if blob size is too short --- internal/repository/repository.go | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/internal/repository/repository.go b/internal/repository/repository.go index b43c3cec9..472c4cd15 100644 --- a/internal/repository/repository.go +++ b/internal/repository/repository.go @@ -801,6 +801,11 @@ func StreamPack(ctx context.Context, beLoad BackendLoadFn, key *crypto.Key, pack } currentBlobEnd = entry.Offset + entry.Length + if int(entry.Length) <= key.NonceSize() { + debug.Log("%v", blobs) + return errors.Errorf("invalid blob length %v", entry) + } + // decryption errors are likely permanent, give the caller a chance to skip them nonce, ciphertext := buf[:key.NonceSize()], buf[key.NonceSize():] plaintext, err := key.Open(ciphertext[:0], nonce, ciphertext, nil)