commit | e6c2a4cdd539b91fd11131f9eecf9bb5087ab55f | [log] [tgz] |
---|---|---|
author | Roland Shoemaker <bracewell@google.com> | Thu Dec 15 10:07:49 2022 -0800 |
committer | Gopher Robot <gobot@golang.org> | Tue Feb 14 17:44:59 2023 +0000 |
tree | 006fa78f439191920f204adf2b8fc8159731f94f | |
parent | 3db422c472d5a080580038354d8557357adbdb9c [diff] |
tiff: don't pre-allocate giant slices before reading Use a copy of the standard libraries internal/saferio.ReadDataAt func to create/read slices which have lengths supplied by the header. This avoids allocating giant slices which we then learn there are not enough bytes in the reader to fill. This makes DecodeConfig safe to use to determine if the image is of a reasonable size to call Decode on. This was found by the ngolo-fuzzing project running on OSS-Fuzz and reported by Philippe Antoine (Catena cyber). Fixes golang/go#58003 Fixes CVE-2022-41727 Change-Id: Iae53f78b840f3b8dbeab37fba8c0164054cbb4ed Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1680712 Reviewed-by: Damien Neil <dneil@google.com> TryBot-Result: Security TryBots <security-trybots@go-security-trybots.iam.gserviceaccount.com> Run-TryBot: Roland Shoemaker <bracewell@google.com> Reviewed-by: Julie Qiu <julieqiu@google.com> Reviewed-on: https://go-review.googlesource.com/c/image/+/468195 Auto-Submit: Roland Shoemaker <roland@golang.org> Run-TryBot: Roland Shoemaker <roland@golang.org> TryBot-Result: Gopher Robot <gobot@golang.org>
This repository holds supplementary Go image libraries.
The easiest way to install is to run go get -u golang.org/x/image/...
. You can also manually git clone the repository to $GOPATH/src/golang.org/x/image
.
This repository uses Gerrit for code changes. To learn how to submit changes to this repository, see https://golang.org/doc/contribute.html.
The main issue tracker for the image repository is located at https://github.com/golang/go/issues. Prefix your issue with “x/image:” in the subject line, so it is easy to find.