Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

image/png: panic whilst decoding png #22304

takeyourhatoff opened this issue Oct 17, 2017 · 2 comments

image/png: panic whilst decoding png #22304

takeyourhatoff opened this issue Oct 17, 2017 · 2 comments


Copy link

@takeyourhatoff takeyourhatoff commented Oct 17, 2017

Please answer these questions before submitting your issue. Thanks!

What version of Go are you using (go version)?


Does this issue reproduce with the latest release?


What operating system and processor architecture are you using (go env)?


What did you do?

Run the program at:

What did you expect to see?

An error message returned by png.Decode to be printed

What did you see instead?

panic: runtime error: makeslice: len out of range

goroutine 1 [running]:
image/png.(*decoder).readImagePass(0xc42008a400, 0x7fb114058030, 0xc4200980f0, 0x0, 0xc420098000, 0x0, 0xc400000000, 0xc4200aa000, 0xc42008a478)
        /usr/local/go/src/image/png/reader.go:460 +0x2dd2
image/png.(*decoder).decode(0xc42008a400, 0x0, 0x0, 0x0, 0x0)
        /usr/local/go/src/image/png/reader.go:365 +0x5bd
image/png.(*decoder).parseIDAT(0xc42008a400, 0x15, 0x4d6b69, 0x4)
        /usr/local/go/src/image/png/reader.go:839 +0x36
image/png.(*decoder).parseChunk(0xc42008a400, 0x0, 0x0)
        /usr/local/go/src/image/png/reader.go:899 +0x409
image/png.Decode(0x549160, 0xc420084180, 0xc42009e050, 0x4e, 0x4e, 0x0)
        /usr/local/go/src/image/png/reader.go:958 +0x156
        /home/tyho/workspace/badihdr/main.go:15 +0xbd
exit status 2

This is caused by an integer overflow when multiplying the width of the image by the height, and subsequently trying to allocated a slice with a negative element count. image.New*() functions should probably guard against integer overflow before calling make().

I would like to try to write the fix.
NOTE: this only panics on 64 bit architectures, hence does not panic on the playground.

Copy link

@ianlancetaylor ianlancetaylor commented Oct 17, 2017


Copy link

@gopherbot gopherbot commented Oct 21, 2017

Change mentions this issue: image/png: fix width * height * bpp overflow check.


@gopherbot gopherbot closed this in 1de2267 Oct 21, 2017
@golang golang locked and limited conversation to collaborators Oct 21, 2018
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
3 participants