x/image/tiff: slice bounds out of range

Question

x/image/tiff: slice bounds out of range

dvyukov opened this issue 10 years ago · 3 comments

The following program crashes as:

panic: runtime error: slice bounds out of range
goroutine 1 [running]:
golang.org/x/image/tiff.(*decoder).ifdUint(0xc208072000, 0xc20801a0e4, 0xc, 0x3c, 0xc208074000, 0xc0000001, 0xc0000001, 0x0, 0x0)
    /ssd/src/gopath/src/golang.org/x/image/tiff/reader.go:98 +0x5e7
golang.org/x/image/tiff.(*decoder).parseIFD(0xc208072000, 0xc20801a0e4, 0xc, 0x3c, 0x0, 0x0)
    /ssd/src/gopath/src/golang.org/x/image/tiff/reader.go:125 +0x122
golang.org/x/image/tiff.newDecoder(0x7fdfb9016260, 0xc20800e440, 0x0, 0x0, 0x0)
    /ssd/src/gopath/src/golang.org/x/image/tiff/reader.go:415 +0x6d7
golang.org/x/image/tiff.Decode(0x7fdfb9016260, 0xc20800e440, 0x0, 0x0, 0x0, 0x0)
    /ssd/src/gopath/src/golang.org/x/image/tiff/reader.go:517 +0x6b
main.main()
    /tmp/tiff.go:9 +0xa6

package main

import (
    "strings"
    "golang.org/x/image/tiff"
)

func main() {
    tiff.Decode(strings.NewReader(data))
}

var data =  "II*\x00\xc8\x03\x00\x00000000000000" +
    "00000000000000000000" +
    "00000000000000000000" +
    "00000000000000000000" +
    "00000000000000000000" +
    "00000000000000000000" +
    "00000000000000000000" +
    "00000000000000000000" +
    "00000000000000000000" +
    "00000000000000000000" +
    "00000000000000000000" +
    "00000000000000000000" +
    "00000000000000000000" +
    "00000000000000000000" +
    "00000000000000000000" +
    "00000000000000000000" +
    "00000000000000000000" +
    "00000000000000000000" +
    "00000000000000000000" +
    "00000000000000000000" +
    "00000000000000000000" +
    "00000000000000000000" +
    "00000000000000000000" +
    "00000000000000000000" +
    "00000000000000000000" +
    "00000000000000000000" +
    "00000000000000000000" +
    "00000000000000000000" +
    "00000000000000000000" +
    "00000000000000000000" +
    "00000000000000000000" +
    "00000000000000000000" +
    "00000000000000000000" +
    "00000000000000000000" +
    "00000000000000000000" +
    "00000000000000000000" +
    "00000000000000000000" +
    "00000000000000000000" +
    "00000000000000000000" +
    "00000000000000000000" +
    "00000000000000000000" +
    "00000000000000000000" +
    "00000000000000000000" +
    "00000000000000000000" +
    "00000000000000000000" +
    "00000000000000000000" +
    "00000000000000000000" +
    "00000000000000000000" +
    "00000000\f\x000000000000" +
    "00000000000000000000" +
    "00000000000000000000" +
    "00000000000000000000" +
    "00000000000000\x17\x01\x04\x00\x01\x00" +
    "\x00\xc0000000000000000000" +
    "00000000000000000000" +
    "00000000000000000000" +
    "000000"

on commit b2f48f3f517c959ebf11245aa7bf39b127497e9c

Answer 1 · 2015-04-28T16:35:14.000Z

/cc @bsiegert @chai2010 @osocurioso

Answer 2 · 2015-04-28T17:30:35.000Z

The uint32(datalen) is large than math.MaxInt32, then if datalen > 4 test is false.
this cause the panic.

https://github.com/golang/image/blob/master/tiff/reader.go#L75

Answer 3 · 2015-04-28T18:04:31.000Z

https://go-review.googlesource.com/9378 x/image/tiff: reject IFDs whose data is longer than int.