From 8077b5bcd6f6d5d0b7b66a902ca28ce2bab66086 Mon Sep 17 00:00:00 2001
From: Sergey Matveev <stargrave@stargrave.org>
Date: Mon, 23 Jan 2023 10:50:20 +0300
Subject: [PATCH] Stricter header validation

---
 ns_test.go | 12 ++++++++++++
 r.go       |  6 +++++-
 2 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/ns_test.go b/ns_test.go
index dbdaa8d..6ac07e4 100644
--- a/ns_test.go
+++ b/ns_test.go
@@ -131,6 +131,18 @@ func TestErrors(t *testing.T) {
 	if _, err := r.Read(data); err == nil {
 		t.FailNow()
 	}
+
+	b = bytes.NewBufferString(":foobar,")
+	r = NewReader(b)
+	if _, err := r.Next(); err == nil {
+		t.FailNow()
+	}
+
+	b = bytes.NewBufferString("06:foobar,")
+	r = NewReader(b)
+	if _, err := r.Next(); err == nil {
+		t.FailNow()
+	}
 }
 
 func TestExample(t *testing.T) {
diff --git a/r.go b/r.go
index 0c65fd4..9b8f510 100644
--- a/r.go
+++ b/r.go
@@ -48,7 +48,11 @@ func (r *Reader) Next() (uint64, error) {
 	if err != nil {
 		return 0, fmt.Errorf("netstring header: %w", err)
 	}
-	size, err := strconv.ParseUint(string(lenRaw[:len(lenRaw)-1]), 10, 64)
+	lenRaw = lenRaw[:len(lenRaw)-1]
+	if len(lenRaw) > 1 && lenRaw[0] == '0' {
+		return 0, errors.New("netstring header: leading zero")
+	}
+	size, err := strconv.ParseUint(string(lenRaw), 10, 64)
 	if err != nil {
 		return 0, fmt.Errorf("netstring header: %w", err)
 	}
-- 
2.44.0