Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

image/png: integer overflows lead to panic in PNG decoder on 32-bit architectures #38435

Closed
jupenur opened this issue Apr 14, 2020 · 2 comments
Closed
Labels
Milestone

Comments

@jupenur
Copy link

@jupenur jupenur commented Apr 14, 2020

What version of Go are you using (go version)?

go1.13.7

(play.golang.org)

Does this issue reproduce with the latest release?

Yes.

What operating system and processor architecture are you using (go env)?

(play.golang.org)

What did you do?

There are cases where decoding specifically crafted PNG files using the built-in decoder in image/png can lead to panic. These are closely related to an earlier bug report at #22304.

Quick proofs-of-concept: take the program from the ticket linked above -- https://play.golang.org/p/yibwQ0ST5z -- and replace the hex-encoded PNG image with each of the following in turn:

89504e470d0a1a0a0000000d494844520000B5040000B5040806000000F5602CB80000001549444154789c626220128c2aa4b34240000000ffff133800152def5f0f0000000049454e44ae426082
89504e470d0a1a0a0000000d4948445204000000000000010806000000306EC5210000001549444154789c626220128c2aa4b34240000000ffff133800152def5f0f0000000049454e44ae426082
89504e470d0a1a0a0000000d4948445208000000000000010806000000AAD47CDA0000001549444154789c62662012308d2aa4af4240000000ffff14d20016000000

Run on a 32-bit architecture such as the playground itself, and observe three different types of panic. The first two are caused by calls to make with negative lengths (here and here, respectively), and the third one is an index out of range (here). All three are ultimately caused by 32-bit integers overflowing when multiplied with one another.

What did you expect to see?

No panic.

What did you see instead?

A panic.

@katiehockman katiehockman changed the title Integer overflows lead to panic in PNG decoder on 32-bit architectures image/png: integer overflows lead to panic in PNG decoder on 32-bit architectures Apr 14, 2020
@katiehockman katiehockman added this to the Go1.15 milestone Apr 14, 2020
@katiehockman
Copy link
Member

@katiehockman katiehockman commented Apr 14, 2020

@nigeltao are you still maintaining image/png, or know someone else who would be able to take a look at this (even just for review would be helpful)?

/cc @FiloSottile

@gopherbot
Copy link

@gopherbot gopherbot commented Apr 27, 2020

Change https://golang.org/cl/230219 mentions this issue: image/png: fix some 32-bit int overflows

@gopherbot gopherbot closed this in bce1e25 Apr 27, 2020
xujianhai666 added a commit to xujianhai666/go-1 that referenced this issue May 21, 2020
Fixes golang#38435

Change-Id: Ib9ae3cf7f338b2860a5688e448a125f257fe624e
Reviewed-on: https://go-review.googlesource.com/c/go/+/230219
Reviewed-by: Andrew Ekstedt <andrew.ekstedt@gmail.com>
Reviewed-by: Rob Pike <r@golang.org>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
3 participants
You can’t perform that action at this time.