Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

image: Decode(r io.Reader) return invalid image without error #48612

Closed
hangfanL opened this issue Sep 24, 2021 · 4 comments
Closed

image: Decode(r io.Reader) return invalid image without error #48612

hangfanL opened this issue Sep 24, 2021 · 4 comments
Labels
FrozenDueToAge NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Milestone
Backlog

Comments

@hangfanL
Copy link

What version of Go are you using (go version)?

$ go version
go version go1.17.1 darwin/amd64

Does this issue reproduce with the latest release?

Yes

What operating system and processor architecture are you using (go env)?

go env Output
$ go env
GO111MODULE=""
GOARCH="amd64"
GOBIN=""
GOCACHE="/Users/hangfan/Library/Caches/go-build"
GOENV="/Users/hangfan/Library/Application Support/go/env"
GOEXE=""
GOEXPERIMENT=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="darwin"
GOINSECURE=""
GOMODCACHE="/Users/hangfan/go/pkg/mod"
GONOPROXY=""
GONOSUMDB=""
GOOS="darwin"
GOPATH="/Users/hangfan/go"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/usr/local/go"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/local/go/pkg/tool/darwin_amd64"
GOVCS=""
GOVERSION="go1.17.1"
GCCGO="gccgo"
AR="ar"
CC="clang"
CXX="clang++"
CGO_ENABLED="1"
GOMOD="/dev/null"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -arch x86_64 -m64 -pthread -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -fdebug-prefix-map=/var/folders/l9/y02qslys54qbw_5r_4qsjl9r0000gy/T/go-build4025033244=/tmp/go-build -gno-record-gcc-switches -fno-common"

What did you do?

I read a image(.png) using image.Decode(). Attempting to manually obtain color information of particular point in the image
runnable program and origin image:
crash_code.txt

crash_img

What did you expect to see?

I think image.Decode function should return either a valid image.Image or error. If the origin image has internal error, decoder should at least reject it and throw corresponding error, instead of returning an invalid image.
the no empty image returned from Decode can guarantee it's validity. We can easily get whatever pixel color information in this image.

What did you see instead?

Version:  go1.17.1
(0,0)-(600,600)
panic: runtime error: index out of range [237] with length 80

goroutine 1 [running]:
image.(*Paletted).At(0x10ede00, 0xc00000e018, 0xc00013def0)
        /usr/local/go/src/image/image.go:1157 +0xa9
main.main()
        /Users/hangfan.liu/git.garena.com/shopee/crawler/internal/crawlsvr/tool/crash/crash.go:31 +0x2b5

Process finished with the exit code 2
  1. image.Decode return a no nill image.Paletted without error
  2. ensure that the point(73,41) is inside of the bounds
  3. Attempting to get color:=img.At(73,41)
  4. panic occur: index out of range [237] with length 80
  5. some thinking: should fix image/png/reader or manually add additional checker function after image.Decode? Obviously the second one is not reasonable.
@hangfanL hangfanL changed the title image/Decode(r io.Reader) return invalid image without erro image/Decode(r io.Reader) return invalid image without error Sep 24, 2021
@seankhliao seankhliao changed the title image/Decode(r io.Reader) return invalid image without error image: Decode(r io.Reader) return invalid image without error Sep 25, 2021
@mknyszek mknyszek added the NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. label Oct 4, 2021
@mknyszek mknyszek added this to the Backlog milestone Oct 4, 2021
@mknyszek
Copy link
Contributor

mknyszek commented Oct 4, 2021

CC @nigeltao via https://dev.golang.org/owners

@mknyszek
Copy link
Contributor

mknyszek commented Oct 4, 2021

Is this issue new in the latest release, or has it always been there? Also, I noticed you're using image.Paletted, but does your image follow the same format? It's possible that it's impossible for the image package to actually detect this. What happens if you use something like NRGBA?

@mknyszek
Copy link
Contributor

mknyszek commented Oct 4, 2021

Also, please provide more detailed steps to reproduce, and the image itself, if possible.

@gopherbot
Copy link

Change https://golang.org/cl/354709 mentions this issue: image/png: fix interlaced palette out-of-bounds

@golang golang locked and limited conversation to collaborators Oct 8, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Projects
None yet
Milestone
Backlog
Development

No branches or pull requests
3 participants
@mknyszek @gopherbot @hangfanL