Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

image/png: panic whilst decoding png #22304

Closed
takeyourhatoff opened this issue Oct 17, 2017 · 2 comments
Closed

image/png: panic whilst decoding png #22304

takeyourhatoff opened this issue Oct 17, 2017 · 2 comments

Comments

@takeyourhatoff
Copy link

@takeyourhatoff takeyourhatoff commented Oct 17, 2017

Please answer these questions before submitting your issue. Thanks!

What version of Go are you using (go version)?

go1.9.1

Does this issue reproduce with the latest release?

Yes

What operating system and processor architecture are you using (go env)?

GOARCH=amd64
GOOS=linux

What did you do?

Run the program at: https://play.golang.org/p/yibwQ0ST5z

What did you expect to see?

An error message returned by png.Decode to be printed

What did you see instead?

panic: runtime error: makeslice: len out of range

goroutine 1 [running]:
image.NewNRGBA(...)
        /usr/local/go/src/image/image.go:365
image/png.(*decoder).readImagePass(0xc42008a400, 0x7fb114058030, 0xc4200980f0, 0x0, 0xc420098000, 0x0, 0xc400000000, 0xc4200aa000, 0xc42008a478)
        /usr/local/go/src/image/png/reader.go:460 +0x2dd2
image/png.(*decoder).decode(0xc42008a400, 0x0, 0x0, 0x0, 0x0)
        /usr/local/go/src/image/png/reader.go:365 +0x5bd
image/png.(*decoder).parseIDAT(0xc42008a400, 0x15, 0x4d6b69, 0x4)
        /usr/local/go/src/image/png/reader.go:839 +0x36
image/png.(*decoder).parseChunk(0xc42008a400, 0x0, 0x0)
        /usr/local/go/src/image/png/reader.go:899 +0x409
image/png.Decode(0x549160, 0xc420084180, 0xc42009e050, 0x4e, 0x4e, 0x0)
        /usr/local/go/src/image/png/reader.go:958 +0x156
main.main()
        /home/tyho/workspace/badihdr/main.go:15 +0xbd
exit status 2

This is caused by an integer overflow when multiplying the width of the image by the height, and subsequently trying to allocated a slice with a negative element count. image.New*() functions should probably guard against integer overflow before calling make().

I would like to try to write the fix.
NOTE: this only panics on 64 bit architectures, hence does not panic on the playground.

@ianlancetaylor ianlancetaylor added this to the Go1.10 milestone Oct 17, 2017
@ianlancetaylor
Copy link
Contributor

@ianlancetaylor ianlancetaylor commented Oct 17, 2017

@gopherbot
Copy link

@gopherbot gopherbot commented Oct 21, 2017

Change https://golang.org/cl/72350 mentions this issue: image/png: fix width * height * bpp overflow check.

@gopherbot gopherbot closed this in 1de2267 Oct 21, 2017
@golang golang locked and limited conversation to collaborators Oct 21, 2018
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
3 participants
You can’t perform that action at this time.