Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

image/png: crash in readImagePass #11604

Closed
bradfitz opened this issue Jul 6, 2015 · 3 comments
Closed

image/png: crash in readImagePass #11604

bradfitz opened this issue Jul 6, 2015 · 3 comments
Assignees
Milestone

Comments

@bradfitz
Copy link
Contributor

@bradfitz bradfitz commented Jul 6, 2015

From a Camlistore bug report perkeep/perkeep#631 (not go-fuzz for once), this image crashes image/png:

https://cloud.githubusercontent.com/assets/597768/8498231/b8dd6142-21c7-11e5-91e1-f07b4bc5f474.png

brad5k:~ $ go version
go version devel +ef37184 Mon Jul 6 00:07:10 2015 +0000 darwin/amd64
brad5k:~ $ go run x.go
panic: runtime error: index out of range

goroutine 1 [running]:
image/png.(*decoder).readImagePass(0x8202bee00, 0x88203ff470, 0x82025c1e0, 0x1, 0x82025c100, 0x0, 0x0, 0x0, 0x0)
    /Users/bradfitz/go/src/image/png/reader.go:461 +0x2764
image/png.(*decoder).decode(0x8202bee00, 0x0, 0x0, 0x0, 0x0)
    /Users/bradfitz/go/src/image/png/reader.go:339 +0x644
image/png.(*decoder).parseIDAT(0x8202bee00, 0x91, 0x0, 0x0)
    /Users/bradfitz/go/src/image/png/reader.go:662 +0x3a
image/png.(*decoder).parseChunk(0x8202bee00, 0x0, 0x0)
    /Users/bradfitz/go/src/image/png/reader.go:711 +0x406
image/png.Decode(0x88203ff260, 0x82027a070, 0x0, 0x0, 0x0, 0x0)
    /Users/bradfitz/go/src/image/png/reader.go:767 +0x210
main.main()
    /Users/bradfitz/x.go:11 +0x71
exit status 2

The file's contents:

0000000 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52
0000010 00 00 00 01 00 00 00 5d 08 06 00 00 01 13 5e 3c
0000020 93 00 00 00 19 74 45 58 74 53 6f 66 74 77 61 72
0000030 65 00 41 64 6f 62 65 20 49 6d 61 67 65 52 65 61
0000040 64 79 71 c9 65 3c 00 00 00 91 49 44 41 54 78 da
0000050 62 4c 49 49 39 cd cc c0 c0 10 c5 f4 e7 cf 1f 06
0000060 a6 df bf 7f 33 20 b1 be 7f ff ce c0 f4 e3 c7 0f
0000070 06 a6 bf 7f ff 42 25 c0 04 88 0b 10 40 cc 26 26
0000080 26 fb 91 c4 c0 3a c0 c4 af 5f bf 18 98 be 7e fd
0000090 8a 55 1b 88 e0 04 08 20 88 de ff ff ff 33 30 fd
00000a0 fb f7 0f 83 00 ab 43 e3 82 09 84 1d 60 f3 70 1a
00000b0 80 20 c0 4a 40 04 40 80 31 9b 9a 9a ee 47 70 99
00000c0 80 9e 46 92 45 22 50 b5 91 26 0b 26 10 ce c5 e6
00000d0 19 fc 7a 71 12 38 9d 8b 2a 01 00 ee e1 03 d4 9f
00000e0 f6 84 46 00 00 00 00 49 45 4e 44 ae 42 60 82   
00000ef

/cc @dvyukov

@nigeltao
Copy link
Contributor

@nigeltao nigeltao commented Jul 7, 2015

Ah, the "Average filter" code has a special case for the first column in each row, and normally, the image width must be positive, but for an interlaced image, http://www.w3.org/TR/PNG/#8Interlace says "NOTE If the reference image contains fewer than five columns or fewer than five rows, some passes will be empty", and the special case code doesn't handle a zero width sub-sample and panics.

The fix should be easy, but we're deep into the 1.5 release freeze, so I'll punt until 1.6.

(Note to myself: check also that the PNG decoder rejects a 0-width image, regardless of interlacing. http://www.w3.org/TR/PNG/#11IHDR says that "Zero is an invalid value" but decoder.parseIHDR looks like it accepts zeroes.)

@nigeltao nigeltao modified the milestones: Go1.6, Go1.5Maybe Jul 7, 2015
@bradfitz
Copy link
Contributor Author

@bradfitz bradfitz commented Jul 7, 2015

Could you prepare a fix anyway? Camlistore will apply it in a fork of image/png in that case, since it's causing users to pain.

@nigeltao
Copy link
Contributor

@nigeltao nigeltao commented Jul 13, 2015

https://go-review.googlesource.com/12064 is a fix, waiting for the tree to open for Go 1.6.

@nigeltao nigeltao closed this in ca6ba49 Jul 13, 2015
@mikioh mikioh modified the milestones: Go1.5, Go1.6 Jul 14, 2015
@golang golang locked and limited conversation to collaborators Jul 13, 2016
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
4 participants
You can’t perform that action at this time.