tiff: don't pre-allocate giant slices before reading

Use a copy of the standard libraries internal/saferio.ReadDataAt func to
create/read slices which have lengths supplied by the header. This
avoids allocating giant slices which we then learn there are not enough
bytes in the reader to fill. This makes DecodeConfig safe to use to
determine if the image is of a reasonable size to call Decode on.

This was found by the ngolo-fuzzing project running on OSS-Fuzz and
reported by Philippe Antoine (Catena cyber).

Fixes golang/go#58003
Fixes CVE-2022-41727

Change-Id: Iae53f78b840f3b8dbeab37fba8c0164054cbb4ed
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1680712
Reviewed-by: Damien Neil <dneil@google.com>
TryBot-Result: Security TryBots <security-trybots@go-security-trybots.iam.gserviceaccount.com>
Run-TryBot: Roland Shoemaker <bracewell@google.com>
Reviewed-by: Julie Qiu <julieqiu@google.com>
Reviewed-on: https://go-review.googlesource.com/c/image/+/468195
Auto-Submit: Roland Shoemaker <roland@golang.org>
Run-TryBot: Roland Shoemaker <roland@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
1 file changed
tree: 006fa78f439191920f204adf2b8fc8159731f94f
  1. bmp/
  2. ccitt/
  3. cmd/
  4. colornames/
  5. draw/
  6. example/
  7. font/
  8. math/
  9. riff/
  10. testdata/
  11. tiff/
  12. vector/
  13. vp8/
  14. vp8l/
  15. webp/
  16. .gitattributes
  17. .gitignore
  18. codereview.cfg
  20. go.mod
  21. go.sum
  24. README.md

Go Images

Go Reference

This repository holds supplementary Go image libraries.


The easiest way to install is to run go get -u golang.org/x/image/.... You can also manually git clone the repository to $GOPATH/src/golang.org/x/image.

Report Issues / Send Patches

This repository uses Gerrit for code changes. To learn how to submit changes to this repository, see https://golang.org/doc/contribute.html.

The main issue tracker for the image repository is located at https://github.com/golang/go/issues. Prefix your issue with “x/image:” in the subject line, so it is easy to find.