image/png: crash in readImagePass #11604
Description
From a Camlistore bug report perkeep/perkeep#631 (not go-fuzz for once), this image crashes image/png:
https://cloud.githubusercontent.com/assets/597768/8498231/b8dd6142-21c7-11e5-91e1-f07b4bc5f474.png
brad5k:~ $ go version
go version devel +ef37184 Mon Jul 6 00:07:10 2015 +0000 darwin/amd64
brad5k:~ $ go run x.go
panic: runtime error: index out of range
goroutine 1 [running]:
image/png.(*decoder).readImagePass(0x8202bee00, 0x88203ff470, 0x82025c1e0, 0x1, 0x82025c100, 0x0, 0x0, 0x0, 0x0)
/Users/bradfitz/go/src/image/png/reader.go:461 +0x2764
image/png.(*decoder).decode(0x8202bee00, 0x0, 0x0, 0x0, 0x0)
/Users/bradfitz/go/src/image/png/reader.go:339 +0x644
image/png.(*decoder).parseIDAT(0x8202bee00, 0x91, 0x0, 0x0)
/Users/bradfitz/go/src/image/png/reader.go:662 +0x3a
image/png.(*decoder).parseChunk(0x8202bee00, 0x0, 0x0)
/Users/bradfitz/go/src/image/png/reader.go:711 +0x406
image/png.Decode(0x88203ff260, 0x82027a070, 0x0, 0x0, 0x0, 0x0)
/Users/bradfitz/go/src/image/png/reader.go:767 +0x210
main.main()
/Users/bradfitz/x.go:11 +0x71
exit status 2
The file's contents:
0000000 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52
0000010 00 00 00 01 00 00 00 5d 08 06 00 00 01 13 5e 3c
0000020 93 00 00 00 19 74 45 58 74 53 6f 66 74 77 61 72
0000030 65 00 41 64 6f 62 65 20 49 6d 61 67 65 52 65 61
0000040 64 79 71 c9 65 3c 00 00 00 91 49 44 41 54 78 da
0000050 62 4c 49 49 39 cd cc c0 c0 10 c5 f4 e7 cf 1f 06
0000060 a6 df bf 7f 33 20 b1 be 7f ff ce c0 f4 e3 c7 0f
0000070 06 a6 bf 7f ff 42 25 c0 04 88 0b 10 40 cc 26 26
0000080 26 fb 91 c4 c0 3a c0 c4 af 5f bf 18 98 be 7e fd
0000090 8a 55 1b 88 e0 04 08 20 88 de ff ff ff 33 30 fd
00000a0 fb f7 0f 83 00 ab 43 e3 82 09 84 1d 60 f3 70 1a
00000b0 80 20 c0 4a 40 04 40 80 31 9b 9a 9a ee 47 70 99
00000c0 80 9e 46 92 45 22 50 b5 91 26 0b 26 10 ce c5 e6
00000d0 19 fc 7a 71 12 38 9d 8b 2a 01 00 ee e1 03 d4 9f
00000e0 f6 84 46 00 00 00 00 49 45 4e 44 ae 42 60 82
00000ef
/cc @dvyukov