hex: fix panic in Decode when len(src) > 2*len(dst)

hex.Decode never checks the length of dst and triggers a panic
if there are insufficient bytes in the slice.

There isn't document on what the behavior *should* be in this case.
Two possibilities:
1. Error dst has insufficient space (as done in this change)
2. Reduce the length of the decode to min(dst, src)

Option 1 was chosen because it seems the least surprising or
subtle.

Change-Id: I3bf029e3d928202de716830434285e3c165f26dd
Reviewed-on: https://go-review.googlesource.com/c/go/+/461958
Reviewed-by: Ian Lance Taylor <iant@google.com>
Auto-Submit: Ian Lance Taylor <iant@google.com>
Reviewed-by: Bryan Mills <bcmills@google.com>
Run-TryBot: Ian Lance Taylor <iant@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Benjamin Prosnitz <bprosnitz@gmail.com>
Run-TryBot: Ian Lance Taylor <iant@golang.org>

src/encoding/hex/hex.go

@@ -75,6 +75,9 @@ func DecodedLen(x int) int { return x / 2 }
 // If the input is malformed, Decode returns the number
 // of bytes decoded before the error.
 func Decode(dst, src []byte) (int, error) {
+	if len(dst) < DecodedLen(len(src)) {
+		return 0, errors.New("encoding/hex: output buffer too small")
+	}
 	i, j := 0, 1
 	for ; j < len(src); j += 2 {
 		p := src[j-1]

src/encoding/hex/hex_test.go

@@ -55,6 +55,15 @@ func TestDecode(t *testing.T) {
 	}
 }
 
+func TestDecode_tooFewDstBytes(t *testing.T) {
+	dst := make([]byte, 1)
+	src := []byte{'0', '1', '2', '3'}
+	_, err := Decode(dst, src)
+	if err == nil {
+		t.Errorf("expected Decode to return an error, but it returned none")
+	}
+}
+
 func TestEncodeToString(t *testing.T) {
 	for i, test := range encDecTests {
 		s := EncodeToString(test.dec)