When we use the imaging library to parse a maliciously constructed graph, the scan function of the scanner.go file will have an index out of bounds problem. The verification procedure is as follows:
❯ go run poc.go
panic: runtime error: index out of range [70] with length 65
goroutine 3 [running]:
github.com/disintegration/imaging.(*scanner).scan(0x1400002a040, 0x0, 0x0, 0x96, 0x1, {0x140000f0000, 0x0?, 0xf168})
/Users/**/go/pkg/mod/github.com/disintegration/imaging@v1.6.2/scanner.go:242 +0x3a4
github.com/disintegration/imaging.Grayscale.func1(0x0?)
/Users/**/go/pkg/mod/github.com/disintegration/imaging@v1.6.2/adjust.go:16 +0xa0
github.com/disintegration/imaging.parallel.func1()
/Users/**/go/pkg/mod/github.com/disintegration/imaging@v1.6.2/utils.go:33 +0x5c
created by github.com/disintegration/imaging.parallel
/Users/**/go/pkg/mod/github.com/disintegration/imaging@v1.6.2/utils.go:31 +0xcc
exit status 2
specific reason
The specific statement that causes the program panic is in line 242 of scanner.go: c := s.palette[img.Pix[i]]. When processing this picture, len(img.Palette) is only 65, but img.Pix[i] is indexed to 70 from the beginning, causing an out-of-bounds:
package main
import (
"fmt"
"image"
"os"
"runtime"
"github.com/disintegration/imaging"
)
func main() {
runtime.GOMAXPROCS(1)
file, _ := os.Open("poc.tiff")
src, _, err := image.Decode(file)
if err != nil {
return
}
if img, ok := src.(*image.Paletted); ok {
fmt.Println(len(img.Palette))
}
imaging.Grayscale(src)
}
> go run .\main.go
65
panic: runtime error: index out of range [70] with length 65
When we use the imaging library to parse a maliciously constructed graph, the
scanfunction of thescanner.gofile will have an index out of bounds problem. The verification procedure is as follows:the
poc.tiffis here:https://github.com/pic4xiu/pocRep/blob/main/poc.tiffwhat happened
specific reason
The specific statement that causes the program panic is in line 242 of scanner.go:
c := s.palette[img.Pix[i]]. When processing this picture,len(img.Palette)is only 65, butimg.Pix[i]is indexed to 70 from the beginning, causing an out-of-bounds: