image/png: fails to correctly handle certain invalid PNG images #31830
Description
What version of Go are you using (go version)?
$ go version go version go1.12.4 darwin/amd64
Does this issue reproduce with the latest release?
Yes
What operating system and processor architecture are you using (go env)?
go env Output
$ go env GOARCH="amd64" GOBIN="" GOCACHE="/Users/szuercher/Library/Caches/go-build" GOEXE="" GOFLAGS="" GOHOSTARCH="amd64" GOHOSTOS="darwin" GOOS="darwin" GOPATH="/Users/szuercher/workspace/golang" GOPROXY="" GORACE="" GOROOT="/usr/local/Cellar/go/1.12.4/libexec" GOTMPDIR="" GOTOOLDIR="/usr/local/Cellar/go/1.12.4/libexec/pkg/tool/darwin_amd64" GCCGO="gccgo" CC="clang" CXX="clang++" CGO_ENABLED="1" GOMOD="/Users/szuercher/workspace/pngbug/go.mod" CGO_CFLAGS="-g -O2" CGO_CPPFLAGS="" CGO_CXXFLAGS="-g -O2" CGO_FFLAGS="-g -O2" CGO_LDFLAGS="-g -O2" PKG_CONFIG="pkg-config" GOGCCFLAGS="-fPIC -m64 -pthread -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -fdebug-prefix-map=/var/folders/c5/jwz1mzyj7337sc6s71d5rscc0000gp/T/go-build351626190=/tmp/go-build -gno-record-gcc-switches -fno-common"
The same bug occurs in go 1.10 under Linux and I've seen at least one image triggering this bug in the wild, although they are somewhat rare.
Discussion
See https://play.golang.org/p/OwBqA7HLDHF
When decoding paletted PNG images, image/png.Decode makes an effort to handle the case where the PNG IDAT (pixel data) section refers to a palette entry index beyond the end of the palette (see src/png/reader.go).
However, in the case where the PNG PLTE section contains exactly 255 colors, but the PNG IDAT section contains references to 256 colors, the result of image/png.Decode is an invalid PalettedImage and nil error. The invalid Image panics when Image.At is invoked for pixels that reference the 256th color.
As the above example shows, if the PNG PLTE contains 254 (or fewer) colors the decode image is valid and extra palette entries, initialize to black, for the out-of-range pixels.
I believe the problem is that readImagePass in png/reader.go should only skip palette size extension when the palette has 256 colors, not 255.