Advisories for Golang/Github.com/Ipld/Go-Car/V2/Blockstore package

2022

Malformed CAR panics and excessive memory usage

Impact Versions impacted <= go-car@v0.3.3 <= go-car@v2.3.0 Description Decoding CAR data from untrusted user input can cause: Panics: Out of bound memory access Out of memory Divide by zero Excessive memory usage Such panics can be triggered by intentionally malformed CARv1 data, including CARv1 data within a CARv2 container; and also CARv2 data with excessively large indexes. These vulnerabilities are not known to be exploited in the wild and were …