Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

image/png: integer overflows lead to panic in PNG decoder on 32-bit architectures #38435

jupenur opened this issue Apr 14, 2020 · 2 comments


Copy link

@jupenur jupenur commented Apr 14, 2020

What version of Go are you using (go version)?



Does this issue reproduce with the latest release?


What operating system and processor architecture are you using (go env)?


What did you do?

There are cases where decoding specifically crafted PNG files using the built-in decoder in image/png can lead to panic. These are closely related to an earlier bug report at #22304.

Quick proofs-of-concept: take the program from the ticket linked above -- -- and replace the hex-encoded PNG image with each of the following in turn:


Run on a 32-bit architecture such as the playground itself, and observe three different types of panic. The first two are caused by calls to make with negative lengths (here and here, respectively), and the third one is an index out of range (here). All three are ultimately caused by 32-bit integers overflowing when multiplied with one another.

What did you expect to see?

No panic.

What did you see instead?

A panic.

@katiehockman katiehockman changed the title Integer overflows lead to panic in PNG decoder on 32-bit architectures image/png: integer overflows lead to panic in PNG decoder on 32-bit architectures Apr 14, 2020
@katiehockman katiehockman added this to the Go1.15 milestone Apr 14, 2020
Copy link

@katiehockman katiehockman commented Apr 14, 2020

@nigeltao are you still maintaining image/png, or know someone else who would be able to take a look at this (even just for review would be helpful)?

/cc @FiloSottile


Copy link

@gopherbot gopherbot commented Apr 27, 2020

Change mentions this issue: image/png: fix some 32-bit int overflows


@gopherbot gopherbot closed this in bce1e25 Apr 27, 2020
xujianhai666 added a commit to xujianhai666/go-1 that referenced this issue May 21, 2020
Fixes golang#38435

Change-Id: Ib9ae3cf7f338b2860a5688e448a125f257fe624e
Reviewed-by: Andrew Ekstedt <>
Reviewed-by: Rob Pike <>
@golang golang locked and limited conversation to collaborators Apr 27, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
3 participants