You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Does this issue reproduce with the latest release?
Yes.
What operating system and processor architecture are you using (go env)?
(play.golang.org)
What did you do?
There are cases where decoding specifically crafted PNG files using the built-in decoder in image/png can lead to panic. These are closely related to an earlier bug report at #22304.
Quick proofs-of-concept: take the program from the ticket linked above -- https://play.golang.org/p/yibwQ0ST5z -- and replace the hex-encoded PNG image with each of the following in turn:
Run on a 32-bit architecture such as the playground itself, and observe three different types of panic. The first two are caused by calls to make with negative lengths (here and here, respectively), and the third one is an index out of range (here). All three are ultimately caused by 32-bit integers overflowing when multiplied with one another.
What did you expect to see?
No panic.
What did you see instead?
A panic.
The text was updated successfully, but these errors were encountered:
katiehockman
changed the title
Integer overflows lead to panic in PNG decoder on 32-bit architectures
image/png: integer overflows lead to panic in PNG decoder on 32-bit architectures
Apr 14, 2020
What version of Go are you using (
go version
)?(play.golang.org)
Does this issue reproduce with the latest release?
Yes.
What operating system and processor architecture are you using (
go env
)?(play.golang.org)
What did you do?
There are cases where decoding specifically crafted PNG files using the built-in decoder in image/png can lead to panic. These are closely related to an earlier bug report at #22304.
Quick proofs-of-concept: take the program from the ticket linked above -- https://play.golang.org/p/yibwQ0ST5z -- and replace the hex-encoded PNG image with each of the following in turn:
Run on a 32-bit architecture such as the playground itself, and observe three different types of panic. The first two are caused by calls to make with negative lengths (here and here, respectively), and the third one is an index out of range (here). All three are ultimately caused by 32-bit integers overflowing when multiplied with one another.
What did you expect to see?
No panic.
What did you see instead?
A panic.
The text was updated successfully, but these errors were encountered: