[go] image/png: fix interlaced palette out-of-bounds

11 views
Skip to first unread message

Nigel Tao (Gerrit)

unread,
Oct 7, 2021, 9:18:07 PM10/7/21
to goph...@pubsubhelper.golang.org, golang-...@googlegroups.com, Andrew Gerrand, Go Bot, golang-co...@googlegroups.com

Nigel Tao submitted this change.

View Change


Approvals: Andrew Gerrand: Looks good to me, approved Nigel Tao: Trusted 
image/png: fix interlaced palette out-of-bounds

PNG images can be paletted, where each pixel value (a uint8) indexes a
slice of colors. In terms of wire format, the PLTE chunk explicitly
contains the palette length. However, in practice, some arguably
malformed images contain pixel values greater than or equal to the
explicit PLTE length.

Go's image/png decoder accomodates such images by lengthening the
decoded image's palette if the implicit maximum is larger than the
explicit maximum. This was already done, prior to this commit, by the
"if len(paletted.Palette) <= int(idx)" lines in decoder.readImagePass.

Separately, PNG images can also be interlaced, where the final image is
the result of merging multiple partial images, also called passes. Prior
to this commit, we applied the palette lengthening to the pass images
but not the final image. This commit fixes that.

Fixes #48612

Change-Id: I77606538cc9a504fbd726071756ebcd10c9da73f
Reviewed-on: https://go-review.googlesource.com/c/go/+/354709
Trust: Nigel Tao <nige...@golang.org>
Reviewed-by: Andrew Gerrand <a...@golang.org>
---
M src/image/png/reader.go
1 file changed, 39 insertions(+), 1 deletion(-)

diff --git a/src/image/png/reader.go b/src/image/png/reader.go
index 910520b..4c65038 100644
--- a/src/image/png/reader.go
+++ b/src/image/png/reader.go
@@ -821,9 +821,17 @@
 		dstPix, stride, rect = target.Pix, target.Stride, target.Rect
 		bytesPerPixel = 8
 	case *image.Paletted:
-		srcPix = src.(*image.Paletted).Pix
+		source := src.(*image.Paletted)
+		srcPix = source.Pix
 		dstPix, stride, rect = target.Pix, target.Stride, target.Rect
 		bytesPerPixel = 1
+		if len(target.Palette) < len(source.Palette) {
+			// readImagePass can return a paletted image whose implicit palette
+			// length (one more than the maximum Pix value) is larger than the
+			// explicit palette length (what's in the PLTE chunk). Make the
+			// same adjustment here.
+			target.Palette = source.Palette
+		}
 	case *image.RGBA:
 		srcPix = src.(*image.RGBA).Pix
 		dstPix, stride, rect = target.Pix, target.Stride, target.Rect

To view, visit change 354709. To unsubscribe, or for help writing mail filters, visit settings.

Gerrit-Project: go
Gerrit-Branch: master
Gerrit-Change-Id: I77606538cc9a504fbd726071756ebcd10c9da73f
Gerrit-Change-Number: 354709
Gerrit-PatchSet: 3
Gerrit-Owner: Nigel Tao <nige...@golang.org>
Gerrit-Reviewer: Andrew Gerrand <a...@golang.org>
Gerrit-Reviewer: Go Bot <go...@golang.org>
Gerrit-Reviewer: Nigel Tao <nige...@golang.org>
Gerrit-MessageType: merged
Reply all
Reply to author
Forward
0 new messages