image/png: panic whilst decoding png #22304
Description
Please answer these questions before submitting your issue. Thanks!
What version of Go are you using (go version)?
go1.9.1
Does this issue reproduce with the latest release?
Yes
What operating system and processor architecture are you using (go env)?
GOARCH=amd64
GOOS=linux
What did you do?
Run the program at: https://play.golang.org/p/yibwQ0ST5z
What did you expect to see?
An error message returned by png.Decode to be printed
What did you see instead?
panic: runtime error: makeslice: len out of range
goroutine 1 [running]:
image.NewNRGBA(...)
/usr/local/go/src/image/image.go:365
image/png.(*decoder).readImagePass(0xc42008a400, 0x7fb114058030, 0xc4200980f0, 0x0, 0xc420098000, 0x0, 0xc400000000, 0xc4200aa000, 0xc42008a478)
/usr/local/go/src/image/png/reader.go:460 +0x2dd2
image/png.(*decoder).decode(0xc42008a400, 0x0, 0x0, 0x0, 0x0)
/usr/local/go/src/image/png/reader.go:365 +0x5bd
image/png.(*decoder).parseIDAT(0xc42008a400, 0x15, 0x4d6b69, 0x4)
/usr/local/go/src/image/png/reader.go:839 +0x36
image/png.(*decoder).parseChunk(0xc42008a400, 0x0, 0x0)
/usr/local/go/src/image/png/reader.go:899 +0x409
image/png.Decode(0x549160, 0xc420084180, 0xc42009e050, 0x4e, 0x4e, 0x0)
/usr/local/go/src/image/png/reader.go:958 +0x156
main.main()
/home/tyho/workspace/badihdr/main.go:15 +0xbd
exit status 2
This is caused by an integer overflow when multiplying the width of the image by the height, and subsequently trying to allocated a slice with a negative element count. image.New*() functions should probably guard against integer overflow before calling make().
I would like to try to write the fix.
NOTE: this only panics on 64 bit architectures, hence does not panic on the playground.