image/png: integer overflows lead to panic in PNG decoder on 32-bit architectures

[jupenur]

What version of Go are you using (go version)?

go1.13.7

(play.golang.org)

Does this issue reproduce with the latest release?

Yes.

What operating system and processor architecture are you using (go env)?

(play.golang.org)

What did you do?

There are cases where decoding specifically crafted PNG files using the built-in decoder in image/png can lead to panic. These are closely related to an earlier bug report at #22304.

Quick proofs-of-concept: take the program from the ticket linked above -- https://play.golang.org/p/yibwQ0ST5z -- and replace the hex-encoded PNG image with each of the following in turn:

89504e470d0a1a0a0000000d494844520000B5040000B5040806000000F5602CB80000001549444154789c626220128c2aa4b34240000000ffff133800152def5f0f0000000049454e44ae426082
89504e470d0a1a0a0000000d4948445204000000000000010806000000306EC5210000001549444154789c626220128c2aa4b34240000000ffff133800152def5f0f0000000049454e44ae426082
89504e470d0a1a0a0000000d4948445208000000000000010806000000AAD47CDA0000001549444154789c62662012308d2aa4af4240000000ffff14d20016000000

Run on a 32-bit architecture such as the playground itself, and observe three different types of panic. The first two are caused by calls to make with negative lengths (here and here, respectively), and the third one is an index out of range (here). All three are ultimately caused by 32-bit integers overflowing when multiplied with one another.

What did you expect to see?

No panic.

What did you see instead?

A panic.

[katiehockman]

@nigeltao are you still maintaining image/png, or know someone else who would be able to take a look at this (even just for review would be helpful)?

/cc @FiloSottile

[gopherbot]

Change https://golang.org/cl/230219 mentions this issue: image/png: fix some 32-bit int overflows