From f2427c09d6bfc4638026c55e61b7964cb47574f1 Mon Sep 17 00:00:00 2001
From: Damien Neil <dneil@google.com>
Date: Fri, 20 Dec 2019 09:43:20 -0800
Subject: [PATCH] proto, internal/impl: reject invalid field numbers in map
 items

Change-Id: I44a44a36538f6f8b94078b43711d865edb6244f5
Reviewed-on: https://go-review.googlesource.com/c/protobuf/+/212257
Reviewed-by: Herbie Ong <herbie@google.com>
---
 internal/impl/codec_map.go |  7 +++++++
 proto/decode.go            |  3 +++
 proto/testmessages_test.go | 11 +++++++++++
 3 files changed, 21 insertions(+)

diff --git a/internal/impl/codec_map.go b/internal/impl/codec_map.go
index 94a1bc49..05d1ecd1 100644
--- a/internal/impl/codec_map.go
+++ b/internal/impl/codec_map.go
@@ -5,6 +5,7 @@
 package impl
 
 import (
+	"errors"
 	"reflect"
 	"sort"
 
@@ -120,6 +121,9 @@ func consumeMap(b []byte, mapv reflect.Value, wtyp wire.Type, mapi *mapInfo, opt
 		if n < 0 {
 			return 0, wire.ParseError(n)
 		}
+		if num > wire.MaxValidNumber {
+			return 0, errors.New("invalid field number")
+		}
 		b = b[n:]
 		err := errUnknown
 		switch num {
@@ -169,6 +173,9 @@ func consumeMapOfMessage(b []byte, mapv reflect.Value, wtyp wire.Type, mapi *map
 		if n < 0 {
 			return 0, wire.ParseError(n)
 		}
+		if num > wire.MaxValidNumber {
+			return 0, errors.New("invalid field number")
+		}
 		b = b[n:]
 		err := errUnknown
 		switch num {
diff --git a/proto/decode.go b/proto/decode.go
index 07ae4677..03ea7ecc 100644
--- a/proto/decode.go
+++ b/proto/decode.go
@@ -183,6 +183,9 @@ func (o UnmarshalOptions) unmarshalMap(b []byte, wtyp wire.Type, mapv protorefle
 		if n < 0 {
 			return 0, wire.ParseError(n)
 		}
+		if num > wire.MaxValidNumber {
+			return 0, errors.New("invalid field number")
+		}
 		b = b[n:]
 		err = errUnknown
 		switch num {
diff --git a/proto/testmessages_test.go b/proto/testmessages_test.go
index 48c0c340..8206ed21 100644
--- a/proto/testmessages_test.go
+++ b/proto/testmessages_test.go
@@ -1608,4 +1608,15 @@ var testInvalidMessages = []testProto{
 			pack.Tag{pack.MaxValidNumber + 1, pack.VarintType}, pack.Varint(1008),
 		}.Marshal(),
 	},
+	{
+		desc:     "invalid field number in map",
+		decodeTo: []proto.Message{(*testpb.TestAllTypes)(nil)},
+		wire: pack.Message{
+			pack.Tag{56, pack.BytesType}, pack.LengthPrefix(pack.Message{
+				pack.Tag{1, pack.VarintType}, pack.Varint(1056),
+				pack.Tag{2, pack.VarintType}, pack.Varint(1156),
+				pack.Tag{pack.MaxValidNumber + 1, pack.VarintType}, pack.Varint(0),
+			}),
+		}.Marshal(),
+	},
 }