Release v0.10.0: tiff: limit work when decoding malicious images · golang/image

v0.10.0
cb227cd
Compare

Choose a tag to compare

View all tags

v0.10.0: tiff: limit work when decoding malicious images

v0.10.0
cb227cd
Compare

Choose a tag to compare

View all tags

neild tagged this 01 Aug 17:46

Fix two paths by which a malicious image could cause unreasonable
amounts of CPU consumption while decoding.

Avoid iterating over every horizontal pixel when decoding
a 0-height tiled image.

Limit the amount of data that will be decompressed per tile.

Thanks to Philippe Antoine (Catena cyber) for reporting this issue.

Fixes CVE-2023-29407
Fixes CVE-2023-29408
Fixes golang/go#61581
Fixes golang/go#61582

Change-Id: I8cbb26fa06843c6fe9fa99810cb1315431fa7d1d
Reviewed-on: https://go-review.googlesource.com/c/image/+/514897
Reviewed-by: Roland Shoemaker <roland@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Auto-Submit: Damien Neil <dneil@google.com>
Run-TryBot: Damien Neil <dneil@google.com>

Assets 2

Source code (zip)

2023-08-01T17:46:51Z
Source code (tar.gz)

2023-08-01T17:46:51Z

Provide feedback

Saved searches

Use saved searches to filter your results more quickly