image/png: fails to correctly handle certain invalid PNG images #31830
Labels
FrozenDueToAge
NeedsInvestigation
Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Milestone
What version of Go are you using (
go version
)?Does this issue reproduce with the latest release?
Yes
What operating system and processor architecture are you using (
go env
)?go env
OutputThe same bug occurs in go 1.10 under Linux and I've seen at least one image triggering this bug in the wild, although they are somewhat rare.
Discussion
See https://play.golang.org/p/OwBqA7HLDHF
When decoding paletted PNG images,
image/png.Decode
makes an effort to handle the case where the PNG IDAT (pixel data) section refers to a palette entry index beyond the end of the palette (see src/png/reader.go).However, in the case where the PNG PLTE section contains exactly 255 colors, but the PNG IDAT section contains references to 256 colors, the result of
image/png.Decode
is an invalidPalettedImage
and nil error. The invalid Image panics when Image.At is invoked for pixels that reference the 256th color.As the above example shows, if the PNG PLTE contains 254 (or fewer) colors the decode image is valid and extra palette entries, initialize to black, for the out-of-range pixels.
I believe the problem is that readImagePass in png/reader.go should only skip palette size extension when the palette has 256 colors, not 255.
The text was updated successfully, but these errors were encountered: