Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/image/tiff: slice bounds out of range #10596

Closed
dvyukov opened this issue Apr 28, 2015 · 3 comments
Closed

x/image/tiff: slice bounds out of range #10596

dvyukov opened this issue Apr 28, 2015 · 3 comments
Labels
FrozenDueToAge

Comments

@dvyukov
Copy link
Member

dvyukov commented Apr 28, 2015

The following program crashes as:

panic: runtime error: slice bounds out of range
goroutine 1 [running]:
golang.org/x/image/tiff.(*decoder).ifdUint(0xc208072000, 0xc20801a0e4, 0xc, 0x3c, 0xc208074000, 0xc0000001, 0xc0000001, 0x0, 0x0)
    /ssd/src/gopath/src/golang.org/x/image/tiff/reader.go:98 +0x5e7
golang.org/x/image/tiff.(*decoder).parseIFD(0xc208072000, 0xc20801a0e4, 0xc, 0x3c, 0x0, 0x0)
    /ssd/src/gopath/src/golang.org/x/image/tiff/reader.go:125 +0x122
golang.org/x/image/tiff.newDecoder(0x7fdfb9016260, 0xc20800e440, 0x0, 0x0, 0x0)
    /ssd/src/gopath/src/golang.org/x/image/tiff/reader.go:415 +0x6d7
golang.org/x/image/tiff.Decode(0x7fdfb9016260, 0xc20800e440, 0x0, 0x0, 0x0, 0x0)
    /ssd/src/gopath/src/golang.org/x/image/tiff/reader.go:517 +0x6b
main.main()
    /tmp/tiff.go:9 +0xa6

package main

import (
    "strings"
    "golang.org/x/image/tiff"
)

func main() {
    tiff.Decode(strings.NewReader(data))
}

var data =  "II*\x00\xc8\x03\x00\x00000000000000" +
    "00000000000000000000" +
    "00000000000000000000" +
    "00000000000000000000" +
    "00000000000000000000" +
    "00000000000000000000" +
    "00000000000000000000" +
    "00000000000000000000" +
    "00000000000000000000" +
    "00000000000000000000" +
    "00000000000000000000" +
    "00000000000000000000" +
    "00000000000000000000" +
    "00000000000000000000" +
    "00000000000000000000" +
    "00000000000000000000" +
    "00000000000000000000" +
    "00000000000000000000" +
    "00000000000000000000" +
    "00000000000000000000" +
    "00000000000000000000" +
    "00000000000000000000" +
    "00000000000000000000" +
    "00000000000000000000" +
    "00000000000000000000" +
    "00000000000000000000" +
    "00000000000000000000" +
    "00000000000000000000" +
    "00000000000000000000" +
    "00000000000000000000" +
    "00000000000000000000" +
    "00000000000000000000" +
    "00000000000000000000" +
    "00000000000000000000" +
    "00000000000000000000" +
    "00000000000000000000" +
    "00000000000000000000" +
    "00000000000000000000" +
    "00000000000000000000" +
    "00000000000000000000" +
    "00000000000000000000" +
    "00000000000000000000" +
    "00000000000000000000" +
    "00000000000000000000" +
    "00000000000000000000" +
    "00000000000000000000" +
    "00000000000000000000" +
    "00000000000000000000" +
    "00000000\f\x000000000000" +
    "00000000000000000000" +
    "00000000000000000000" +
    "00000000000000000000" +
    "00000000000000\x17\x01\x04\x00\x01\x00" +
    "\x00\xc0000000000000000000" +
    "00000000000000000000" +
    "00000000000000000000" +
    "000000"

on commit b2f48f3f517c959ebf11245aa7bf39b127497e9c
@dvyukov
Copy link
Member Author

dvyukov commented Apr 28, 2015

/cc @bsiegert @chai2010 @osocurioso

@chai2010
Copy link
Contributor

The uint32(datalen) is large than math.MaxInt32, then if datalen > 4 test is false.
this cause the panic.

https://github.com/golang/image/blob/master/tiff/reader.go#L75

@bsiegert
Copy link
Contributor

https://go-review.googlesource.com/9378 x/image/tiff: reject IFDs whose data is longer than int.

@golang golang locked and limited conversation to collaborators Jun 25, 2016
mrhyperbit23z0d added a commit to mrhyperbit23z0d/bhegde8 that referenced this issue Jun 6, 2022
@mrhyperbit23z0d
tiff: reject IFDs whose data is longer than int.
928818a 
Fixes golang/go#10596

Change-Id: Ib5035569e84c67868c7f278281620f6c9b11b470
Reviewed-on: https://go-review.googlesource.com/9378
Reviewed-by: Nigel Tao <nigeltao@golang.org>
GalaxyForcew added a commit to GalaxyForcew/A1bisshy that referenced this issue Jun 6, 2022
@GalaxyForcew
tiff: reject IFDs whose data is longer than int.
717010b 
Fixes golang/go#10596

Change-Id: Ib5035569e84c67868c7f278281620f6c9b11b470
Reviewed-on: https://go-review.googlesource.com/9378
Reviewed-by: Nigel Tao <nigeltao@golang.org>
yi-ge3 added a commit to yi-ge3/wislie that referenced this issue Jun 6, 2022
@yi-ge3
tiff: reject IFDs whose data is longer than int.
594b352 
Fixes golang/go#10596

Change-Id: Ib5035569e84c67868c7f278281620f6c9b11b470
Reviewed-on: https://go-review.googlesource.com/9378
Reviewed-by: Nigel Tao <nigeltao@golang.org>
balloontmz6 added a commit to balloontmz6/Likewise42l that referenced this issue Jun 6, 2022
@balloontmz6
tiff: reject IFDs whose data is longer than int.
564bc47 
Fixes golang/go#10596

Change-Id: Ib5035569e84c67868c7f278281620f6c9b11b470
Reviewed-on: https://go-review.googlesource.com/9378
Reviewed-by: Nigel Tao <nigeltao@golang.org>
snapbakkhfbav added a commit to snapbakkhfbav/SayedBaladohr that referenced this issue Oct 6, 2022
@snapbakkhfbav
tiff: reject IFDs whose data is longer than int.
dc52cd3 
Fixes golang/go#10596

Change-Id: Ib5035569e84c67868c7f278281620f6c9b11b470
Reviewed-on: https://go-review.googlesource.com/9378
Reviewed-by: Nigel Tao <nigeltao@golang.org>
MiderWong5ddop added a commit to MiderWong5ddop/sidie88f that referenced this issue Oct 7, 2022
@MiderWong5ddop
tiff: reject IFDs whose data is longer than int.
042996b 
Fixes golang/go#10596

Change-Id: Ib5035569e84c67868c7f278281620f6c9b11b470
Reviewed-on: https://go-review.googlesource.com/9378
Reviewed-by: Nigel Tao <nigeltao@golang.org>
rorypeckwnt4v added a commit to rorypeckwnt4v/LearnByBhanuPrataph that referenced this issue Oct 7, 2022
@rorypeckwnt4v
tiff: reject IFDs whose data is longer than int.
9fabc34 
Fixes golang/go#10596

Change-Id: Ib5035569e84c67868c7f278281620f6c9b11b470
Reviewed-on: https://go-review.googlesource.com/9378
Reviewed-by: Nigel Tao <nigeltao@golang.org>
egorovcharenko9 added a commit to egorovcharenko9/RiceBIOC470z that referenced this issue Oct 7, 2022
@egorovcharenko9
tiff: reject IFDs whose data is longer than int.
097e047 
Fixes golang/go#10596

Change-Id: Ib5035569e84c67868c7f278281620f6c9b11b470
Reviewed-on: https://go-review.googlesource.com/9378
Reviewed-by: Nigel Tao <nigeltao@golang.org>
RafayGhafoorf added a commit to RafayGhafoorf/dustinsand8 that referenced this issue Oct 7, 2022
@RafayGhafoorf
tiff: reject IFDs whose data is longer than int.
183cfb4 
Fixes golang/go#10596

Change-Id: Ib5035569e84c67868c7f278281620f6c9b11b470
Reviewed-on: https://go-review.googlesource.com/9378
Reviewed-by: Nigel Tao <nigeltao@golang.org>
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@bsiegert @dvyukov @chai2010 @nigeltao @gopherbot