windows: fix OOB read in Readlink reparse point parsing

[mohammadmseet-hue]

Readlink on Windows uses subtraction instead of addition
when computing the PrintName slice from a mount point or
symlink reparse data buffer.

Per the Windows REPARSE_DATA_BUFFER documentation,
PrintNameOffset is the byte offset and PrintNameLength is
the byte length of the print name. The correct end index
is (PrintNameOffset + PrintNameLength) / 2, but the code
computes (PrintNameLength - PrintNameOffset) / 2.

When PrintNameOffset is non-zero (common for symlinks where
the substitute name precedes the print name in PathBuffer),
the subtraction produces a smaller-than-intended or negative
slice index, causing either a truncated result or an
out-of-bounds heap read of up to ~64KB.

The Go standard library fixed this same bug in
internal/syscall/windows in 2016-2017 (issues #15978,
#16861), but the x/sys copy was never updated.

The fix changes the two subtraction operations to addition
on both the IO_REPARSE_TAG_SYMLINK and
IO_REPARSE_TAG_MOUNT_POINT code paths, matching the
corrected standard library implementation.

[gopherbot]

This PR (HEAD: 1f239af) has been imported to Gerrit for code review.

Please visit Gerrit at https://go-review.googlesource.com/c/sys/+/760001.

Important tips:

• Don't comment on this PR. All discussion takes place in Gerrit.
• You need a Gmail or other Google account to log in to Gerrit.
• To change your code in response to feedback:
  • Push a new commit to the branch used by your GitHub PR.
  • A new "patch set" will then appear in Gerrit.
  • Respond to each comment by marking as Done in Gerrit if implemented as suggested. You can alternatively write a reply.
  • Critical: you must click the blue Reply button near the top to publish your Gerrit responses.
  • Multiple commits in the PR will be squashed by GerritBot.
• The title and description of the GitHub PR are used to construct the final commit message.
  • Edit these as needed via the GitHub web interface (not via Gerrit or git).
  • You should word wrap the PR description at ~76 characters unless you need longer lines (e.g., for tables or URLs).
• See the Sending a change via GitHub and Reviews sections of the Contribution Guide as well as the FAQ for details.

[gopherbot]

Message from Gopher Robot:

Patch Set 1:

(1 comment)

---

Please don’t reply on this GitHub thread. Visit golang.org/cl/760001.
After addressing review feedback, remember to publish your drafts!

[gopherbot]

Message from Mohammad Seet:

Patch Set 1:

(1 comment)

---

Please don’t reply on this GitHub thread. Visit golang.org/cl/760001.
After addressing review feedback, remember to publish your drafts!

[gopherbot]

Message from Mohammad Seet:

Patch Set 1:

(1 comment)

---

Please don’t reply on this GitHub thread. Visit golang.org/cl/760001.
After addressing review feedback, remember to publish your drafts!

[gopherbot]

This PR (HEAD: ca3e5dd) has been imported to Gerrit for code review.

Please visit Gerrit at https://go-review.googlesource.com/c/sys/+/760001.

Important tips:

• Don't comment on this PR. All discussion takes place in Gerrit.
• You need a Gmail or other Google account to log in to Gerrit.
• To change your code in response to feedback:
  • Push a new commit to the branch used by your GitHub PR.
  • A new "patch set" will then appear in Gerrit.
  • Respond to each comment by marking as Done in Gerrit if implemented as suggested. You can alternatively write a reply.
  • Critical: you must click the blue Reply button near the top to publish your Gerrit responses.
  • Multiple commits in the PR will be squashed by GerritBot.
• The title and description of the GitHub PR are used to construct the final commit message.
  • Edit these as needed via the GitHub web interface (not via Gerrit or git).
  • You should word wrap the PR description at ~76 characters unless you need longer lines (e.g., for tables or URLs).
• See the Sending a change via GitHub and Reviews sections of the Contribution Guide as well as the FAQ for details.

[gopherbot]

Message from Mohammad Seet:

Patch Set 1:

Done. Updated PR description to remove markdown formatting, wrap lines at ~76 characters, and fix any issues flagged by the bot.

---

Please don’t reply on this GitHub thread. Visit golang.org/cl/760001.
After addressing review feedback, remember to publish your drafts!

[gopherbot]

Message from Alex Brainman:

Patch Set 2:

(1 comment)

---

Please don’t reply on this GitHub thread. Visit golang.org/cl/760001.
After addressing review feedback, remember to publish your drafts!

[gopherbot]

Message from Mohammad Seet:

Patch Set 2:

Hi Alex, fair point — it's not a heavily used code path, but even if usage is low, an OOB read in a syscall wrapper is the kind of thing that can bite someone down the line — especially since the fix is small and doesn't change behavior for valid inputs. Figured it's better to bounds-check now than leave it as a footgun for whoever touches this next.

---

Please don’t reply on this GitHub thread. Visit golang.org/cl/760001.
After addressing review feedback, remember to publish your drafts!

[gopherbot]

Message from Alex Brainman:

Patch Set 2:

(1 comment)

---

Please don’t reply on this GitHub thread. Visit golang.org/cl/760001.
After addressing review feedback, remember to publish your drafts!

[gopherbot]

Message from Mohammad Seet:

Patch Set 2:

Hi Alex,

I ran into this while auditing the x/sys reparse point handling and cross-referencing it with the stdlib implementation. Wrote a few test cases with crafted reparse buffers to confirm the math was wrong — when PrintNameOffset > 0 (which is the normal case for symlinks where SubstituteName comes first in PathBuffer), the subtraction produces a bogus end index.

On the syscall.Readlink difference — the two implementations intentionally read different fields: syscall.Readlink uses SubstituteName and then strips the \??\ prefix, while x/sys uses PrintName which is already the clean display path. That part is fine and I'm not changing it. The only thing this CL fixes is the offset arithmetic: subtraction → addition, same correction the stdlib applied to its own SubstituteName slicing.

I'll add a test in the next patchset.

---

Please don’t reply on this GitHub thread. Visit golang.org/cl/760001.
After addressing review feedback, remember to publish your drafts!

[gopherbot]

This PR (HEAD: be72080) has been imported to Gerrit for code review.

Please visit Gerrit at https://go-review.googlesource.com/c/sys/+/760001.

Important tips:

• Don't comment on this PR. All discussion takes place in Gerrit.
• You need a Gmail or other Google account to log in to Gerrit.
• To change your code in response to feedback:
  • Push a new commit to the branch used by your GitHub PR.
  • A new "patch set" will then appear in Gerrit.
  • Respond to each comment by marking as Done in Gerrit if implemented as suggested. You can alternatively write a reply.
  • Critical: you must click the blue Reply button near the top to publish your Gerrit responses.
  • Multiple commits in the PR will be squashed by GerritBot.
• The title and description of the GitHub PR are used to construct the final commit message.
  • Edit these as needed via the GitHub web interface (not via Gerrit or git).
  • You should word wrap the PR description at ~76 characters unless you need longer lines (e.g., for tables or URLs).
• See the Sending a change via GitHub and Reviews sections of the Contribution Guide as well as the FAQ for details.

[gopherbot]

Message from Alex Brainman:

Patch Set 3:

(1 comment)

---

Please don’t reply on this GitHub thread. Visit golang.org/cl/760001.
After addressing review feedback, remember to publish your drafts!

[gopherbot]

Message from Alex Brainman:

Patch Set 3: Commit-Queue+1 TryBot-Bypass+1

---

Please don’t reply on this GitHub thread. Visit golang.org/cl/760001.
After addressing review feedback, remember to publish your drafts!

[gopherbot]

Message from Go LUCI:

Patch Set 3:

Dry run: CV is trying the patch.

Bot data: {"action":"start","triggered_at":"2026-04-11T07:42:07Z","revision":"296616a37fb9d4f08780648c7f56fcb49ea98d52"}

---

Please don’t reply on this GitHub thread. Visit golang.org/cl/760001.
After addressing review feedback, remember to publish your drafts!

[gopherbot]

Message from Alex Brainman:

Patch Set 3: -Commit-Queue

(Performed by <GERRIT_ACCOUNT_60063> on behalf of <GERRIT_ACCOUNT_5070>)

---

Please don’t reply on this GitHub thread. Visit golang.org/cl/760001.
After addressing review feedback, remember to publish your drafts!

[gopherbot]

Message from Go LUCI:

Patch Set 3:

This CL has passed the run

---

Please don’t reply on this GitHub thread. Visit golang.org/cl/760001.
After addressing review feedback, remember to publish your drafts!

[gopherbot]

Message from Go LUCI:

Patch Set 3: LUCI-TryBot-Result+1

---

Please don’t reply on this GitHub thread. Visit golang.org/cl/760001.
After addressing review feedback, remember to publish your drafts!