From 874b3132a84cf76da6a48978826c04c380a37a50 Mon Sep 17 00:00:00 2001
From: avivklas <avivklas@gmail.com>
Date: Fri, 7 Aug 2020 21:50:12 +0300
Subject: [PATCH] mime/multipart: return overflow errors in Reader.ReadForm

Updates Reader.ReadForm to check for overflow errors that may
result from a leeway addition of 10MiB to the input argument
maxMemory.

Fixes #40430

Change-Id: I510b8966c95c51d04695ba9d08fcfe005fd11a5d
Reviewed-on: https://go-review.googlesource.com/c/go/+/247477
Run-TryBot: Emmanuel Odeke <emm.odeke@gmail.com>
Trust: Cuong Manh Le <cuong.manhle.vn@gmail.com>
Trust: Emmanuel Odeke <emm.odeke@gmail.com>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Emmanuel Odeke <emm.odeke@gmail.com>

Upstream-Status: Backport [https://github.com/golang/go/commit/874b3132a84cf76da6a48978826c04c380a37a50]
CVE: CVE-2022-41725 #Dependency Patch1
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
---
 src/mime/multipart/formdata.go      |  4 ++++
 src/mime/multipart/formdata_test.go | 18 ++++++++++++++++++
 2 files changed, 22 insertions(+)

diff --git a/src/mime/multipart/formdata.go b/src/mime/multipart/formdata.go
index 832d0ad693666..4eb31012941ac 100644
--- a/src/mime/multipart/formdata.go
+++ b/src/mime/multipart/formdata.go
@@ -7,6 +7,7 @@ package multipart
 import (
 	"bytes"
 	"errors"
+	"fmt"
 	"io"
 	"io/ioutil"
 	"net/textproto"
@@ -41,6 +42,9 @@ func (r *Reader) readForm(maxMemory int64) (_ *Form, err error) {
 
 	// Reserve an additional 10 MB for non-file parts.
 	maxValueBytes := maxMemory + int64(10<<20)
+	if maxValueBytes <= 0 {
+		return nil, fmt.Errorf("multipart: integer overflow from maxMemory(%d) + 10MiB for non-file parts", maxMemory)
+	}
 	for {
 		p, err := r.NextPart()
 		if err == io.EOF {
diff --git a/src/mime/multipart/formdata_test.go b/src/mime/multipart/formdata_test.go
index 7d756c8c244a0..7112e0d3727fe 100644
--- a/src/mime/multipart/formdata_test.go
+++ b/src/mime/multipart/formdata_test.go
@@ -7,6 +7,7 @@ package multipart
 import (
 	"bytes"
 	"io"
+	"math"
 	"os"
 	"strings"
 	"testing"
@@ -52,6 +53,23 @@ func TestReadFormWithNamelessFile(t *testing.T) {
 	}
 }
 
+// Issue 40430: Ensure that we report integer overflows in additions of maxMemory,
+// instead of silently and subtly failing without indication.
+func TestReadFormMaxMemoryOverflow(t *testing.T) {
+	b := strings.NewReader(strings.ReplaceAll(messageWithTextContentType, "\n", "\r\n"))
+	r := NewReader(b, boundary)
+	f, err := r.ReadForm(math.MaxInt64)
+	if err == nil {
+		t.Fatal("Unexpected a non-nil error")
+	}
+	if f != nil {
+		t.Fatalf("Unexpected returned a non-nil form: %v\n", f)
+	}
+	if g, w := err.Error(), "integer overflow from maxMemory"; !strings.Contains(g, w) {
+		t.Errorf(`Error mismatch\n%q\ndid not contain\n%q`, g, w)
+	}
+}
+
 func TestReadFormWithTextContentType(t *testing.T) {
 	// From https://github.com/golang/go/issues/24041
 	b := strings.NewReader(strings.ReplaceAll(messageWithTextContentType, "\n", "\r\n"))