You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I noticed this bug in Go 1.5.1 (and earlier versions) on windows/386, but it doesn't affect 64-bit versions (at least not versions that use a 64-bit int type).
The reason for this can be found on line 733 of image/png/reader.go, where min(len(ignored), int(length)) is calculated. length is a 32-bit unsigned value and already guaranteed to be greater than 0. On 64-bit systems, a value of length greater than 0x80000000 will be converted to a valid int because an int value is larger than 32 bits. After the conversion, the value will be safely ignored in favor of len(ignored), which is 4096. On 32-bit systems, however, this value will pass the initial positivity check, but will then become negative when converted to a 32-bit int. This negative value will be seen as the smaller of the two values by min, leading it to be used as an array bound and therefore the panic.
The code shown below attempts to decode a clearly invalid PNG image, but panics instead of returning an error on 32-bit systems:
I noticed this bug in Go 1.5.1 (and earlier versions) on windows/386, but it doesn't affect 64-bit versions (at least not versions that use a 64-bit
int
type).The reason for this can be found on line 733 of image/png/reader.go, where
min(len(ignored), int(length))
is calculated.length
is a 32-bit unsigned value and already guaranteed to be greater than 0. On 64-bit systems, a value of length greater than 0x80000000 will be converted to a valid int because an int value is larger than 32 bits. After the conversion, the value will be safely ignored in favor oflen(ignored)
, which is 4096. On 32-bit systems, however, this value will pass the initial positivity check, but will then become negative when converted to a 32-bit int. This negative value will be seen as the smaller of the two values bymin
, leading it to be used as an array bound and therefore the panic.The code shown below attempts to decode a clearly invalid PNG image, but panics instead of returning an error on 32-bit systems:
The text was updated successfully, but these errors were encountered: