Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/image/bmp: NewNRGBA will panic when dealing with too large length and width #60885

Open
pic4xiu opened this issue Jun 20, 2023 · 3 comments
Open

x/image/bmp: NewNRGBA will panic when dealing with too large length and width #60885

pic4xiu opened this issue Jun 20, 2023 · 3 comments
Labels
NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Milestone
Unreleased

Comments

@pic4xiu
Copy link

pic4xiu commented Jun 20, 2023

What version of Go are you using (go version)?

❯ go version
go version go1.20.4 darwin/arm64

Does this issue reproduce with the latest release?

Yes

What operating system and processor architecture are you using (go env)?

go env Output
does not affect

What did you do?

package main

import (
	"bytes"
	"image"
	"os"

	"golang.org/x/image/bmp"
)

func main() {
	data := []byte("BM0000\x00\x00\x00\x006\x00\x00\x00(\x00\x00\x0000000000\x01\x00 \x00\x00\x00\x00\x0000000000000000000000")

	src, _, err := image.Decode(bytes.NewReader(data))
	if err != nil {
		panic(err)
	}
	file, err := os.Create("output.bmp")
	if err != nil {
		panic(err)
	}
	defer file.Close()

	err = bmp.Encode(file, src)
	if err != nil {
		panic(err)
	}
}

What did you expect to see?

Error returned: image size too large

What did you see instead?

❯ go run main.go
panic: runtime error: makeslice: len out of range

goroutine 1 [running]:
image.NewNRGBA({{0x3ee?, 0x24?}, {0x1400009ce68?, 0x280462c074?}})
        /usr/local/go/src/image/image.go:459 +0x64
golang.org/x/image/bmp.decodeNRGBA({0x10467e6e8, 0x14000092180}, {{0x10467e748?, 0x140000ac000?}, 0x1046703a0?, 0x104679980?}, 0x0, 0x0)
        /Users/*/go/pkg/mod/golang.org/x/image@v0.8.0/bmp/reader.go:89 +0x64
golang.org/x/image/bmp.Decode({0x10467e6e8, 0x14000092180})
        /Users/*/go/pkg/mod/golang.org/x/image@v0.8.0/bmp/reader.go:126 +0x64
image.Decode({0x10467e708?, 0x140000a01b0?})
        /usr/local/go/src/image/format.go:93 +0x8c
main.main()
        /Users/*/Desktop/src/cve/main.go:14 +0xbc
exit status 2

I tried to modify it to limit the length of the decodeNRGBA function, but it was only roughly completed. Need to know the size of maxAlloc in the runtime package. This is the fundamental solution to this bug
@ianlancetaylor ianlancetaylor changed the title image/image.go:NewNRGBA will panic when dealing with too large length and width x/image/bmp: NewNRGBA will panic when dealing with too large length and width Jun 20, 2023
@gopherbot gopherbot added this to the Unreleased milestone Jun 20, 2023
@ianlancetaylor
Copy link
Contributor

CC @nigeltao

@bcmills
Copy link
Contributor

bcmills commented Jun 20, 2023

See previously #58003 (CC @rolandshoemaker, @golang/security).

@bcmills bcmills added the NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. label Jun 20, 2023
@rolandshoemaker
Copy link
Member

Unlike #58003, this is in Decode. Calling DecodeConfig, in this and generally, lets you know the dimensions of the image before attempting to decode it, which in this case are 808464432 x 808464432 (an image on the order of 600 petabytes).

Decode should probably(?) not be opportunistically attempting to preallocate the pixel slice (by calling image.NewRGBA), but since this is reliant on the user not being aware of the actual size of the image, we won't consider this a security issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Projects
None yet
Milestone
Unreleased
Development

No branches or pull requests
5 participants
@ianlancetaylor @rolandshoemaker @bcmills @gopherbot @pic4xiu