Google Git
Sign in
go/image/96edba0fa84213a8c3cefe5d25fcc0a7c75b6a66
commit
96edba0fa84213a8c3cefe5d25fcc0a7c75b6a66
[log]
author
Damien Neil <dneil@google.com>
Thu Mar 26 14:28:31 2026 -0700
committer
Gopher Robot <gobot@golang.org>
Mon Mar 30 12:25:48 2026 -0700
tree
77f4e0b019cead3e25b14ddea5277b1755318803
parent
23ae9ed61c1d3343fb95015810f62dcbf444976e [diff]
webp: reject VP8X headers with too-large canvases

RFC 9649 states that the canvas width * height must be
at most 2^32-1. Enforce this.

This avoids creating an invalid image (which will panic
when manipulated) when decoding a too-large image on
32-bit platforms.

https://www.rfc-editor.org/rfc/rfc9649.html#section-2.7-12

Fixes golang/go#78407
Fixes CVE-2026-33813

Change-Id: I7e2b68374681da4f72ee51ebfd8833006a6a6964
Reviewed-on: https://go-review.googlesource.com/c/image/+/759860
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Auto-Submit: Damien Neil <dneil@google.com>
Reviewed-by: Neal Patel <nealpatel@google.com>
2 files changed
tree: 77f4e0b019cead3e25b14ddea5277b1755318803
  1. bmp/
  2. ccitt/
  3. cmd/
  4. colornames/
  5. draw/
  6. example/
  7. font/
  8. math/
  9. riff/
  10. testdata/
  11. tiff/
  12. vector/
  13. vp8/
  14. vp8l/
  15. webp/
  16. .gitattributes
  17. .gitignore
  18. codereview.cfg
  19. CONTRIBUTING.md
  20. go.mod
  21. go.sum
  22. LICENSE
  23. PATENTS
  24. README.md
README.md

Go Images

Go Reference

This repository holds supplementary Go image packages.

Report Issues / Send Patches

This repository uses Gerrit for code changes. To learn how to submit changes to this repository, see https://go.dev/doc/contribute.

The git repository is https://go.googlesource.com/image.

The main issue tracker for the image repository is located at https://go.dev/issues. Prefix your issue with “x/image:” in the subject line, so it is easy to find.