go/parser: infinite loop in parsing (CVE-2023-24537)

[neild]

Calling any of the Parse functions on Go source code which contains //line directives with very large line numbers can cause an infinite loop due to integer overflow.

Thanks to Philippe Antoine (Catena cyber) for reporting this issue.

This is CVE-2023-24537 and Go issue https://go.dev/issue/59180.

/cc @golang/security and @golang/release

[julieqiu]

@gopherbot please open backport issues.

[gopherbot]

Backport issue(s) opened: #59273 (for 1.19), #59274 (for 1.20).

Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://go.dev/wiki/MinorReleases.

[gopherbot]

Change https://go.dev/cl/481980 mentions this issue: [release-branch.go1.19] go/scanner: reject large line and column numbers in //line directives

[gopherbot]

Change https://go.dev/cl/481986 mentions this issue: [release-branch.go1.19] go/scanner: reject large line and column numbers in //line directives

[gopherbot]

Change https://go.dev/cl/481992 mentions this issue: [release-branch.go1.20] go/scanner: reject large line and column numbers in //line directives

[gopherbot]

Change https://go.dev/cl/482078 mentions this issue: go/scanner: reject large line and column numbers in //line directives