Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Specific image will cause the index of the scan function in scanner.go to go out of bounds #165

Open
pic4xiu opened this issue Jul 14, 2023 · 0 comments
Open

Specific image will cause the index of the scan function in scanner.go to go out of bounds #165

pic4xiu opened this issue Jul 14, 2023 · 0 comments

Comments

@pic4xiu
Copy link

pic4xiu commented Jul 14, 2023

When we use the imaging library to parse a maliciously constructed graph, the scan function of the scanner.go file will have an index out of bounds problem. The verification procedure is as follows:

package main

import (
	"image"
	"os"
	"runtime"

	"github.com/disintegration/imaging"
)

func main() {
	runtime.GOMAXPROCS(1)
	file, _ := os.Open("poc.tiff")
	src, _, err := image.Decode(file)
	if err != nil {
		return
	}
	imaging.Grayscale(src)
}

the poc.tiff is here:https://github.com/pic4xiu/pocRep/blob/main/poc.tiff

what happened

❯ go run poc.go
panic: runtime error: index out of range [70] with length 65

goroutine 3 [running]:
github.com/disintegration/imaging.(*scanner).scan(0x1400002a040, 0x0, 0x0, 0x96, 0x1, {0x140000f0000, 0x0?, 0xf168})
        /Users/**/go/pkg/mod/github.com/disintegration/imaging@v1.6.2/scanner.go:242 +0x3a4
github.com/disintegration/imaging.Grayscale.func1(0x0?)
        /Users/**/go/pkg/mod/github.com/disintegration/imaging@v1.6.2/adjust.go:16 +0xa0
github.com/disintegration/imaging.parallel.func1()
        /Users/**/go/pkg/mod/github.com/disintegration/imaging@v1.6.2/utils.go:33 +0x5c
created by github.com/disintegration/imaging.parallel
        /Users/**/go/pkg/mod/github.com/disintegration/imaging@v1.6.2/utils.go:31 +0xcc
exit status 2

specific reason

The specific statement that causes the program panic is in line 242 of scanner.go: c := s.palette[img.Pix[i]]. When processing this picture, len(img.Palette) is only 65, but img.Pix[i] is indexed to 70 from the beginning, causing an out-of-bounds:

package main

import (
	"fmt"
	"image"
	"os"
	"runtime"

	"github.com/disintegration/imaging"
)

func main() {
	runtime.GOMAXPROCS(1)
	file, _ := os.Open("poc.tiff")
	src, _, err := image.Decode(file)
	if err != nil {
		return
	}
	if img, ok := src.(*image.Paletted); ok {
		fmt.Println(len(img.Palette))
	}
	imaging.Grayscale(src)
}

> go run .\main.go
65
panic: runtime error: index out of range [70] with length 65

image
@pic4xiu pic4xiu mentioned this issue Jul 15, 2023
Closed
@pic4xiu pic4xiu changed the title Maliciously constructed images will cause the scanner.go file index to go out of bounds Specific image will cause the index of the scan function in scanner.go to go out of bounds Jul 15, 2023
@GoVulnBot GoVulnBot mentioned this issue Sep 5, 2023
Closed
@hedhyw hedhyw mentioned this issue Sep 21, 2023
Closed
@jswright jswright mentioned this issue May 23, 2024
Closed
gopherbot pushed a commit to golang/image that referenced this issue Jun 18, 2024
@jswright @gopherbot
tiff: Validate palette indices when parsing palette-color images
3bbf4a6 
The existing implementation will succeed to parse a corrupt or malicious
image with color indices out of range of the actual palette, which will
eventually result in a panic when the consumer tries to read the color
at any corrupted pixel.

This issue was originally discovered and filed against a downstream
library: disintegration/imaging#165. This is
also referenced in https://osv.dev/vulnerability/GHSA-q7pp-wcgr-pffx.

Fixes golang/go#67624

Change-Id: I7d7577adb7d549ecfcd59e84e04a92d198d94c18
Reviewed-on: https://go-review.googlesource.com/c/image/+/588115
Auto-Submit: Damien Neil <dneil@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Damien Neil <dneil@google.com>
stephenfire added a commit to stephenfire/imaging that referenced this issue Nov 4, 2024
@stephenfire
tiff: ignore invalid palette indices when parsing palette-color images
4c39dfc 
disintegration#165
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@pic4xiu