Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

image/png: integer overflows lead to panic in PNG decoder on 32-bit architectures #38435

Closed
jupenur opened this issue Apr 14, 2020 · 2 comments
Closed
Labels
FrozenDueToAge NeedsFix The path to resolution is known, but the work has not been done.
Milestone

Comments

@jupenur
Copy link

jupenur commented Apr 14, 2020

What version of Go are you using (go version)?

go1.13.7

(play.golang.org)

Does this issue reproduce with the latest release?

Yes.

What operating system and processor architecture are you using (go env)?

(play.golang.org)

What did you do?

There are cases where decoding specifically crafted PNG files using the built-in decoder in image/png can lead to panic. These are closely related to an earlier bug report at #22304.

Quick proofs-of-concept: take the program from the ticket linked above -- https://play.golang.org/p/yibwQ0ST5z -- and replace the hex-encoded PNG image with each of the following in turn:

89504e470d0a1a0a0000000d494844520000B5040000B5040806000000F5602CB80000001549444154789c626220128c2aa4b34240000000ffff133800152def5f0f0000000049454e44ae426082
89504e470d0a1a0a0000000d4948445204000000000000010806000000306EC5210000001549444154789c626220128c2aa4b34240000000ffff133800152def5f0f0000000049454e44ae426082
89504e470d0a1a0a0000000d4948445208000000000000010806000000AAD47CDA0000001549444154789c62662012308d2aa4af4240000000ffff14d20016000000

Run on a 32-bit architecture such as the playground itself, and observe three different types of panic. The first two are caused by calls to make with negative lengths (here and here, respectively), and the third one is an index out of range (here). All three are ultimately caused by 32-bit integers overflowing when multiplied with one another.

What did you expect to see?

No panic.

What did you see instead?

A panic.

@katiehockman katiehockman changed the title Integer overflows lead to panic in PNG decoder on 32-bit architectures image/png: integer overflows lead to panic in PNG decoder on 32-bit architectures Apr 14, 2020
@katiehockman katiehockman added this to the Go1.15 milestone Apr 14, 2020
@katiehockman katiehockman added the NeedsFix The path to resolution is known, but the work has not been done. label Apr 14, 2020
@katiehockman
Copy link
Contributor

@nigeltao are you still maintaining image/png, or know someone else who would be able to take a look at this (even just for review would be helpful)?

/cc @FiloSottile

@gopherbot
Copy link

Change https://golang.org/cl/230219 mentions this issue: image/png: fix some 32-bit int overflows

xujianhai666 pushed a commit to xujianhai666/go-1 that referenced this issue May 21, 2020
Fixes golang#38435

Change-Id: Ib9ae3cf7f338b2860a5688e448a125f257fe624e
Reviewed-on: https://go-review.googlesource.com/c/go/+/230219
Reviewed-by: Andrew Ekstedt <andrew.ekstedt@gmail.com>
Reviewed-by: Rob Pike <r@golang.org>
@golang golang locked and limited conversation to collaborators Apr 27, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
FrozenDueToAge NeedsFix The path to resolution is known, but the work has not been done.
Projects
None yet
Development

No branches or pull requests

3 participants