Merge pull request #1041 from ClickHouse/fix_potential_overflow

fix(compressor): fixing an overflow that could potentially smuggle query in from data

Author: SpencerTorres

.gitignore

@@ -13,3 +13,6 @@
 
 # Dependency directories (remove the comment below to include it)
 # vendor/
+
+# Editors
+.idea/

compress/writer.go

@@ -56,8 +56,12 @@ func (w *Writer) Compress(buf []byte) error {
 		n = copy(w.Data[headerSize:], buf)
 	}
 
-	w.Data = w.Data[:n+headerSize]
+	// security: https://github.com/ClickHouse/ch-go/pull/1041
+	if uint64(n)+uint64(compressHeaderSize) > math.MaxUint32 {
+		return errors.New("compressed size overflows uint32")
+	}
 
+	w.Data = w.Data[:n+headerSize]
 	binary.LittleEndian.PutUint32(w.Data[hRawSize:], uint32(n+compressHeaderSize))
 	binary.LittleEndian.PutUint32(w.Data[hDataSize:], uint32(len(buf)))
 	h := city.CH128(w.Data[hMethod:])