Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

image/png: fails to correctly handle certain invalid PNG images #31830

Closed
zuercher opened this issue May 3, 2019 · 2 comments
Closed

image/png: fails to correctly handle certain invalid PNG images #31830

zuercher opened this issue May 3, 2019 · 2 comments
Labels
FrozenDueToAge NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Milestone
Go1.14

Comments

@zuercher
Copy link
Contributor

zuercher commented May 3, 2019

What version of Go are you using (go version)?

$ go version
go version go1.12.4 darwin/amd64

Does this issue reproduce with the latest release?

Yes

What operating system and processor architecture are you using (go env)?

go env Output
$ go env
GOARCH="amd64"
GOBIN=""
GOCACHE="/Users/szuercher/Library/Caches/go-build"
GOEXE=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="darwin"
GOOS="darwin"
GOPATH="/Users/szuercher/workspace/golang"
GOPROXY=""
GORACE=""
GOROOT="/usr/local/Cellar/go/1.12.4/libexec"
GOTMPDIR=""
GOTOOLDIR="/usr/local/Cellar/go/1.12.4/libexec/pkg/tool/darwin_amd64"
GCCGO="gccgo"
CC="clang"
CXX="clang++"
CGO_ENABLED="1"
GOMOD="/Users/szuercher/workspace/pngbug/go.mod"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -fdebug-prefix-map=/var/folders/c5/jwz1mzyj7337sc6s71d5rscc0000gp/T/go-build351626190=/tmp/go-build -gno-record-gcc-switches -fno-common"

The same bug occurs in go 1.10 under Linux and I've seen at least one image triggering this bug in the wild, although they are somewhat rare.

Discussion

See https://play.golang.org/p/OwBqA7HLDHF

When decoding paletted PNG images, image/png.Decode makes an effort to handle the case where the PNG IDAT (pixel data) section refers to a palette entry index beyond the end of the palette (see src/png/reader.go).

However, in the case where the PNG PLTE section contains exactly 255 colors, but the PNG IDAT section contains references to 256 colors, the result of image/png.Decode is an invalid PalettedImage and nil error. The invalid Image panics when Image.At is invoked for pixels that reference the 256th color.

As the above example shows, if the PNG PLTE contains 254 (or fewer) colors the decode image is valid and extra palette entries, initialize to black, for the out-of-range pixels.

I believe the problem is that readImagePass in png/reader.go should only skip palette size extension when the palette has 256 colors, not 255.
@josharian
Copy link
Contributor

cc @nigeltao

@josharian josharian added this to the Go1.14 milestone May 4, 2019
@josharian josharian added the NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. label May 4, 2019
@gopherbot
Copy link

Change https://golang.org/cl/175397 mentions this issue: image/png: fix palette extension to handle 255 color images

@golang golang locked and limited conversation to collaborators May 7, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Projects
None yet
Milestone
Go1.14
Development

No branches or pull requests
3 participants
@zuercher @josharian @gopherbot