image/png: makeslice: len out of range in Decode with insane image size

[catenacyber]

What version of Go are you using (go version)?

$ go version
go version go1.17.6 darwin/amd64

Does this issue reproduce with the latest release?

Yes

What operating system and processor architecture are you using (go env)?

go env Output

$ go env
GO111MODULE=""
GOARCH="amd64"
GOBIN=""
GOCACHE="/Users/catena/Library/Caches/go-build"
GOENV="/Users/catena/Library/Application Support/go/env"
GOEXE=""
GOEXPERIMENT=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="darwin"
GOINSECURE=""
GOMODCACHE="/Users/catena/go/pkg/mod"
GONOPROXY=""
GONOSUMDB=""
GOOS="darwin"
GOPATH="/Users/catena/go"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/usr/local/go"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/local/go/pkg/tool/darwin_amd64"
GOVCS=""
GOVERSION="go1.17.6"
GCCGO="gccgo"
AR="ar"
CC="clang"
CXX="clang++"
CGO_ENABLED="1"
GOMOD="/Users/catena/go/src/github.com/catenacyber/go/src/go.mod"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -arch x86_64 -m64 -pthread -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -fdebug-prefix-map=/var/folders/pp/dc1dtf9x2js3v0jx_m010nqr0000gn/T/go-build4237848497=/tmp/go-build -gno-record-gcc-switches -fno-common"
GOROOT/bin/go version: go version go1.17.6 darwin/amd64
GOROOT/bin/go tool compile -V: compile version go1.17.6
uname -v: Darwin Kernel Version 21.3.0: Wed Jan  5 21:37:58 PST 2022; root:xnu-8019.80.24~20/RELEASE_X86_64
ProductName:    macOS
ProductVersion: 12.2.1
BuildVersion:   21D62
lldb --version: lldb-1316.0.9.41
Apple Swift version 5.6 (swiftlang-5.6.0.323.62 clang-1316.0.20.8)
gdb --version: GNU gdb (GDB) 9.1

What did you do?

Run https://go.dev/play/p/JNfieKSukyI?v=gotip

What did you expect to see?

The program finishing and printing Hello with an appropriate error

What did you see instead?

Hello, %!s(<nil>) image.Config{ColorModel:(*color.modelFunc)(0xc000012060), Width:1347179589, Height:623657023}
panic: runtime error: makeslice: len out of range

goroutine 1 [running]:
image.NewGray16({{0xc000074b80?, 0x48432e?}, {0x100c000115088?, 0x4d3668?}})
    /usr/local/go-faketime/src/image/image.go:1019 +0x66
image/png.(*decoder).readImagePass(0x4d36e8?, {0x7fd864c280e0, 0xc00006c050}, 0x0?, 0x0)
    /usr/local/go-faketime/src/image/png/reader.go:477 +0x612
image/png.(*decoder).decode(0xc000045400)
    /usr/local/go-faketime/src/image/png/reader.go:374 +0x1ae
image/png.(*decoder).parseIDAT(0xc000045400, 0x45478?)
    /usr/local/go-faketime/src/image/png/reader.go:859 +0x25
image/png.(*decoder).parseChunk(0xc000045400)
    /usr/local/go-faketime/src/image/png/reader.go:918 +0x129
image/png.Decode({0x4d3688?, 0xc000016210})
    /usr/local/go-faketime/src/image/png/reader.go:977 +0x11b
main.main()
    /tmp/sandbox1166748030/prog.go:15 +0x205

Program exited.

Found by https://github.com/catenacyber/ngolo-fuzzing on oss-fuzz https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50234

I know that the result of DecodeConfig should be checked before calling Decode, but I think that in this case, the error should be a bit nicer

[dr2chase]

@nigeltao @robpike image/png is choking on fuzz, not sure what's the best plan here.

[nigeltao]

"Decoding some (possibly valid) PNGs can require a lot of memory" is a duplicate of #53778 (which is itself arguably a duplicate of #5050).

If we wanted image/png (in the standard library, obviously) to catch out-of-memory panics and convert them to a nicer error, then we'd probably want a number of stdlib packages to do similarly, which sounds like a broader discussion (maybe on the golang-dev mailing list??).

[catenacyber]

The problem is not a out of memory here, it is panic: runtime error: makeslice: len out of range ;-)

[ianlancetaylor]

@nigeltao The general goal here is #47653.

We can discuss the general issue on golang-dev if you like.