-
Notifications
You must be signed in to change notification settings - Fork 447
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Specific image will cause the index of the scan function in scanner.go to go out of bounds #165
Comments
pic4xiu
changed the title
Maliciously constructed images will cause the scanner.go file index to go out of bounds
Specific image will cause the index of the scan function in scanner.go to go out of bounds
Jul 15, 2023
gopherbot
pushed a commit
to golang/image
that referenced
this issue
Jun 18, 2024
The existing implementation will succeed to parse a corrupt or malicious image with color indices out of range of the actual palette, which will eventually result in a panic when the consumer tries to read the color at any corrupted pixel. This issue was originally discovered and filed against a downstream library: disintegration/imaging#165. This is also referenced in https://osv.dev/vulnerability/GHSA-q7pp-wcgr-pffx. Fixes golang/go#67624 Change-Id: I7d7577adb7d549ecfcd59e84e04a92d198d94c18 Reviewed-on: https://go-review.googlesource.com/c/image/+/588115 Auto-Submit: Damien Neil <[email protected]> LUCI-TryBot-Result: Go LUCI <[email protected]> Reviewed-by: Damien Neil <[email protected]>
stephenfire
added a commit
to stephenfire/imaging
that referenced
this issue
Nov 4, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
When we use the imaging library to parse a maliciously constructed graph, the
scan
function of thescanner.go
file will have an index out of bounds problem. The verification procedure is as follows:the
poc.tiff
is here:https://github.com/pic4xiu/pocRep/blob/main/poc.tiffwhat happened
specific reason
The specific statement that causes the program panic is in line 242 of scanner.go:
c := s.palette[img.Pix[i]]
. When processing this picture,len(img.Palette)
is only 65, butimg.Pix[i]
is indexed to 70 from the beginning, causing an out-of-bounds:The text was updated successfully, but these errors were encountered: