[release-branch.go1.25] encoding/pem: properly calculate end indexes

When a block is missing the END line trailer, calculate the indexes of the end and end trailer _before_ continuing the loop, making the reslicing at the start of the loop work as expected. Fixes #76029 Change-Id: If45c8cb473315623618f02cc7609f517a72d232d Reviewed-on: https://go-review.googlesource.com/c/go/+/714200 Auto-Submit: Roland Shoemaker <roland@golang.org> Reviewed-by: Damien Neil <dneil@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> (cherry picked from commit 839da71f89) Reviewed-on: https://go-review.googlesource.com/c/go/+/714661 Reviewed-by: David Chase <drchase@google.com>
2025-12-08 06:10:04 +00:00 · 2025-10-23 08:16:39 -07:00 · 2025-10-23 08:16:39 -07:00 · 83885f3c22
commit 83885f3c22
parent 5ba37a3677
2 changed files with 9 additions and 2 deletions
--- a/src/encoding/pem/pem.go
+++ b/src/encoding/pem/pem.go
@ -95,6 +95,9 @@ func Decode(data []byte) (p *Block, rest []byte) {
 	for {
 		// If we've already tried parsing a block, skip past the END we already
 		// saw.
+		if endTrailerIndex < 0 || endTrailerIndex > len(rest) {
+			return nil, data
+		}
 		rest = rest[endTrailerIndex:]

 		// Find the first END line, and then find the last BEGIN line before
@ -116,11 +119,11 @@ func Decode(data []byte) (p *Block, rest []byte) {
 		var typeLine []byte
 		var consumed int
 		typeLine, rest, consumed = getLine(rest)
+		endIndex -= consumed
+		endTrailerIndex -= consumed
 		if !bytes.HasSuffix(typeLine, pemEndOfLine) {
 			continue
 		}
-		endIndex -= consumed
-		endTrailerIndex -= consumed
 		typeLine = typeLine[0 : len(typeLine)-len(pemEndOfLine)]

 		p = &Block{
--- a/src/encoding/pem/pem_test.go
+++ b/src/encoding/pem/pem_test.go
@ -736,3 +736,7 @@ func FuzzDecode(f *testing.F) {
 		Decode(data)
 	})
 }
+
+func TestMissingEndTrailer(t *testing.T) {
+	Decode([]byte{0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x42, 0x45, 0x47, 0x49, 0x4e, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0xa, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x45, 0x4e, 0x44, 0x20})
+}