Open pic4xiu opened 1 year ago
CC @nigeltao
See previously #58003 (CC @rolandshoemaker, @golang/security).
Unlike https://github.com/golang/go/issues/58003, this is in Decode. Calling DecodeConfig, in this and generally, lets you know the dimensions of the image before attempting to decode it, which in this case are 808464432 x 808464432 (an image on the order of 600 petabytes).
Decode should probably(?) not be opportunistically attempting to preallocate the pixel slice (by calling image.NewRGBA), but since this is reliant on the user not being aware of the actual size of the image, we won't consider this a security issue.
What version of Go are you using (
go version
)?Does this issue reproduce with the latest release?
Yes
What operating system and processor architecture are you using (
go env
)?go env
OutputWhat did you do?
What did you expect to see?
Error returned: image size too large
What did you see instead?
I tried to modify it to limit the length of the
decodeNRGBA
function, but it was only roughly completed. Need to know the size ofmaxAlloc
in theruntime
package. This is the fundamental solution to this bug