encoding/gob: stack exhaustion in Decoder.Decode

[tatianab]

Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion.

This is CVE-2022-30635.

(This was a PRIVATE issue tracked in http://b/231318421 and fixed by http://tg/1484771.)

/cc https://github.com/orgs/golang/teams/security and https://github.com/orgs/golang/teams/release

[tatianab]

@gopherbot please open backport issues for this security fix

[gopherbot]

Backport issue(s) opened: #53709 (for 1.17), #53710 (for 1.18).

Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://go.dev/wiki/MinorReleases.

[gopherbot]

Change https://go.dev/cl/417060 mentions this issue: [release-branch.go1.18] encoding/gob: add a depth limit for ignored fields

[gopherbot]

Change https://go.dev/cl/417064 mentions this issue: encoding/gob: add a depth limit for ignored fields

[gopherbot]

Change https://go.dev/cl/417074 mentions this issue: [release-branch.go1.17] encoding/gob: add a depth limit for ignored fields