x/image/bmp: hang on degenerate image
dvyukov opened this issue · 1 comments
dvyukov commented
The following program takes 20 seconds to run. The image size is 0x538771456, so it passes the image size sanity check after DecodeConfig. But bmp package actually reads in and decodes every row. Decode should either produce an error or instantly return a 0x0 image.
package main
import (
"bytes"
"golang.org/x/image/bmp"
)
func main() {
data := []byte("BM6\x03\x00\x00\x00\x00\x00\x006\x00\x00\x00(\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x1d \x01\x00\x18\x00\x00\x00\x00\x00\x00\x00\x00\x1d V" +
"a\x00lue>`\x0e\x00\x00n\t\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00")
cfg, err := bmp.DecodeConfig(bytes.NewReader(data))
if err != nil {
return 0
}
if cfg.Width*cfg.Height > 1e6 {
return 0
}
img, err := bmp.Decode(bytes.NewReader(data))
if err != nil {
return
}
var w bytes.Buffer
bmp.Encode(&w, img)
}
on commit 4a3ed0c1249ebedab3c715c000034638f1cad002
gopherbot commented
CL https://golang.org/cl/9836 mentions this issue.