hex: fix panic in Decode when len(src) > 2*len(dst)

hex.Decode never checks the length of dst and triggers a panic
if there are insufficient bytes in the slice.

There isn't document on what the behavior *should* be in this case.
Two possibilities:
1. Error dst has insufficient space (as done in this change)
2. Reduce the length of the decode to min(dst, src)

Option 1 was chosen because it seems the least surprising or
subtle.

Change-Id: I3bf029e3d928202de716830434285e3c165f26dd
Reviewed-on: https://go-review.googlesource.com/c/go/+/461958
Reviewed-by: Ian Lance Taylor <iant@google.com>
Auto-Submit: Ian Lance Taylor <iant@google.com>
Reviewed-by: Bryan Mills <bcmills@google.com>
Run-TryBot: Ian Lance Taylor <iant@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Benjamin Prosnitz <bprosnitz@gmail.com>
Run-TryBot: Ian Lance Taylor <iant@golang.org>

1 files changed, 3 insertions, 0 deletions

diff --git a/src/encoding/hex/hex.go b/src/encoding/hex/hex.go
index 375f583170..5a8243ae80 100644
--- a/src/encoding/hex/hex.go
+++ b/src/encoding/hex/hex.go
@@ -75,6 +75,9 @@ func DecodedLen(x int) int { return x / 2 }
 // If the input is malformed, Decode returns the number
 // of bytes decoded before the error.
 func Decode(dst, src []byte) (int, error) {
+	if len(dst) < DecodedLen(len(src)) {
+		return 0, errors.New("encoding/hex: output buffer too small")
+	}
 	i, j := 0, 1
 	for ; j < len(src); j += 2 {
 		p := src[j-1]