Google Git
Sign in
go/image.git/refs/heads/master
commit
854c274048e554becaf644d85366fc2f0a91a3fb
[log] [tgz]
author
Damien Neil <dneil@google.com>
Fri Mar 27 16:38:36 2026 -0700
committer
Gopher Robot <gobot@golang.org>
Wed Apr 01 08:26:44 2026 -0700
tree
c2e24de0512075d2386b38af841a3670593b987f
parent
96edba0fa84213a8c3cefe5d25fcc0a7c75b6a66 [diff]
font/sfnt: apply bounds checks before allocating read buffer

When using ReadAt to read more than 1MiB of data from a font file,
verify that the file contains the data before allocating the
read buffer. Avoids excessive memory allocation when parsing corrupt
or malicious font files.

Thanks to Andy Gill, ZephrSec Ltd for reporting this issue.

Fixes golang/go#78382
Fixes CVE-2026-33812

Change-Id: Icd5e7388661a76a6af800f0ba0b728c46a6a6964
Reviewed-on: https://go-review.googlesource.com/c/image/+/761180
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Auto-Submit: Damien Neil <dneil@google.com>
Reviewed-by: Neal Patel <nealpatel@google.com>
1 file changed
tree: c2e24de0512075d2386b38af841a3670593b987f
  1. bmp/
  2. ccitt/
  3. cmd/
  4. colornames/
  5. draw/
  6. example/
  7. font/
  8. math/
  9. riff/
  10. testdata/
  11. tiff/
  12. vector/
  13. vp8/
  14. vp8l/
  15. webp/
  16. .gitattributes
  17. .gitignore
  18. codereview.cfg
  19. CONTRIBUTING.md
  20. go.mod
  21. go.sum
  22. LICENSE
  23. PATENTS
  24. README.md
README.md

Go Images

Go Reference

This repository holds supplementary Go image packages.

Report Issues / Send Patches

This repository uses Gerrit for code changes. To learn how to submit changes to this repository, see https://go.dev/doc/contribute.

The git repository is https://go.googlesource.com/image.

The main issue tracker for the image repository is located at https://go.dev/issues. Prefix your issue with “x/image:” in the subject line, so it is easy to find.