Specific image will cause the index of the scan function in scanner.go to go out of bounds #165
Description
When we use the imaging library to parse a maliciously constructed graph, the scan function of the scanner.go file will have an index out of bounds problem. The verification procedure is as follows:
package main
import (
"image"
"os"
"runtime"
"github.com/disintegration/imaging"
)
func main() {
runtime.GOMAXPROCS(1)
file, _ := os.Open("poc.tiff")
src, _, err := image.Decode(file)
if err != nil {
return
}
imaging.Grayscale(src)
}
the poc.tiff is here:https://github.com/pic4xiu/pocRep/blob/main/poc.tiff
what happened
❯ go run poc.go
panic: runtime error: index out of range [70] with length 65
goroutine 3 [running]:
github.com/disintegration/imaging.(*scanner).scan(0x1400002a040, 0x0, 0x0, 0x96, 0x1, {0x140000f0000, 0x0?, 0xf168})
/Users/**/go/pkg/mod/github.com/disintegration/imaging@v1.6.2/scanner.go:242 +0x3a4
github.com/disintegration/imaging.Grayscale.func1(0x0?)
/Users/**/go/pkg/mod/github.com/disintegration/imaging@v1.6.2/adjust.go:16 +0xa0
github.com/disintegration/imaging.parallel.func1()
/Users/**/go/pkg/mod/github.com/disintegration/imaging@v1.6.2/utils.go:33 +0x5c
created by github.com/disintegration/imaging.parallel
/Users/**/go/pkg/mod/github.com/disintegration/imaging@v1.6.2/utils.go:31 +0xcc
exit status 2
specific reason
The specific statement that causes the program panic is in line 242 of scanner.go: c := s.palette[img.Pix[i]]. When processing this picture, len(img.Palette) is only 65, but img.Pix[i] is indexed to 70 from the beginning, causing an out-of-bounds:
package main
import (
"fmt"
"image"
"os"
"runtime"
"github.com/disintegration/imaging"
)
func main() {
runtime.GOMAXPROCS(1)
file, _ := os.Open("poc.tiff")
src, _, err := image.Decode(file)
if err != nil {
return
}
if img, ok := src.(*image.Paletted); ok {
fmt.Println(len(img.Palette))
}
imaging.Grayscale(src)
}
> go run .\main.go
65
panic: runtime error: index out of range [70] with length 65
