[image] tiff: limit PackBits decompression output size
3 views
Skip to first unread message
Gerrit Bot (Gerrit)
Mar 26, 2026, 9:13:45 PMMar 26
to goph...@pubsubhelper.golang.org, golang-co...@googlegroups.com
Gerrit Bot has uploaded the change for review![]( "Open in Gerrit")
Commit message
tiff: limit PackBits decompression output size
The `unpackBits` function has no output size limit, unlike `readBuf` which is used for LZW, Deflate, and CCITT compression. This allows a small crafted TIFF (2MB) to decompress to 745MB (372x amplification).
The CVE-2023-29408 fix added decompression limits via `readBuf` for other compression formats but did not apply the same limit to PackBits.
**Fix:** Add a `lim` parameter to `unpackBits` matching the `blockMaxDataSize` limit used by `readBuf` for other compression formats. Return a `FormatError` when the decompressed output exceeds the limit.
**Impact:** A 2MB crafted TIFF with PackBits compression decompresses to 745MB via `tiff.Decode()` or `image.Decode()`. The amplification ratio is 372x.
Change-Id: I659f1da32bd415e4cf15a6061cb9ceee7a45f2af
GitHub-Last-Rev: 7ff5fd37e90146359c16a4de8817aba9e588984c
GitHub-Pull-Request: golang/image#29
Change diff
diff --git a/tiff/compress.go b/tiff/compress.go
index 3f176f0..1520b57 100644
--- a/tiff/compress.go
+++ b/tiff/compress.go
@@ -15,11 +15,12 @@
}
// unpackBits decodes the PackBits-compressed data in src and returns the
-// uncompressed data.
+// uncompressed data. The output size is limited to lim bytes to prevent
+// decompression bombs.
//
// The PackBits compression format is described in section 9 (p. 42)
// of the TIFF spec.
-func unpackBits(r io.Reader) ([]byte, error) {
+func unpackBits(r io.Reader, lim int64) ([]byte, error) {
buf := make([]byte, 128)
dst := make([]byte, 0, 1024)
br, ok := r.(byteReader)
@@ -54,5 +55,8 @@
}
dst = append(dst, buf[:1-code]...)
}
+ if int64(len(dst)) > lim {
+ return nil, FormatError("PackBits: decompressed data too large")
+ }
}
}
diff --git a/tiff/reader.go b/tiff/reader.go
index 4c1de45..0ed8ad0 100644
--- a/tiff/reader.go
+++ b/tiff/reader.go
@@ -752,7 +752,7 @@
d.buf, err = readBuf(r, d.buf, blockMaxDataSize)
r.Close()
case cPackBits:
- d.buf, err = unpackBits(io.NewSectionReader(d.r, offset, n))
+ d.buf, err = unpackBits(io.NewSectionReader(d.r, offset, n), blockMaxDataSize)
default:
err = UnsupportedError(fmt.Sprintf("compression value %d", d.firstVal(tCompression)))
}
diff --git a/tiff/reader_test.go b/tiff/reader_test.go
index c34ac01..5716773 100644
--- a/tiff/reader_test.go
+++ b/tiff/reader_test.go
@@ -73,7 +73,7 @@
"\xaa\xaa\xaa\x80\x00\x2a\xaa\xaa\xaa\xaa\x80\x00\x2a\x22\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
}}
for _, u := range unpackBitsTests {
- buf, err := unpackBits(strings.NewReader(u.compressed))
+ buf, err := unpackBits(strings.NewReader(u.compressed), 1<<20)
if err != nil {
t.Fatal(err)
}
Change information
Files:
- M tiff/compress.go
- M tiff/reader.go
- M tiff/reader_test.go
Change size: S
Delta: 3 files changed, 8 insertions(+), 4 deletions(-)
Related details
Attention set is empty
Submit Requirements:
Code-Review
No-Unresolved-Comments
Review-Enforcement
TryBots-Pass
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Gopher Robot (Gerrit)
Mar 26, 2026, 9:13:46 PMMar 26
to Gerrit Bot, goph...@pubsubhelper.golang.org, golang-co...@googlegroups.com
Gopher Robot added 1 comment![]( "Open in Gerrit")
Patchset-level comments
File-level comment, Patchset 1 (Latest):
Gopher Robot . unresolved
I spotted some possible problems with your PR:
1. You have a long 207 character line in the commit message body. Please add line breaks to long lines that should be wrapped. Lines in the commit message body should be wrapped at ~76 characters unless needed for things like URLs or tables. (Note: GitHub might render long lines as soft-wrapped, so double-check in the Gerrit commit message shown above.)
2. It looks like you are using markdown in the commit message. If so, please remove it. Be sure to double-check the plain text shown in the Gerrit commit message above for any markdown backticks, markdown links, or other markdown formatting.
3. You usually need to reference a bug number for all but trivial or cosmetic fixes. For the image repo, the format is usually 'Fixes golang/go#12345' or 'Updates golang/go#12345' at the end of the commit message. Should you have a bug reference?
Please address any problems by updating the GitHub PR.
When complete, mark this comment as 'Done' and click the [blue 'Reply' button](https://go.dev/wiki/GerritBot#i-left-a-reply-to-a-comment-in-gerrit-but-no-one-but-me-can-see-it) above. These findings are based on heuristics; if a finding does not apply, briefly reply here saying so.
To update the commit title or commit message body shown here in Gerrit, you must edit the GitHub PR title and PR description (the first comment) in the GitHub web interface using the 'Edit' button or 'Edit' menu entry there. Note: pushing a new commit to the PR will not automatically update the commit message used by Gerrit.
For more details, see:
- [how to update commit messages](https://go.dev/wiki/GerritBot/#how-does-gerritbot-determine-the-final-commit-message) for PRs imported into Gerrit.
- the Go project's [conventions for commit messages](https://go.dev/doc/contribute#commit_messages) that you should follow.
(In general for Gerrit code reviews, the change author is expected to [log in to Gerrit](https://go-review.googlesource.com/login/) with a Gmail or other Google account and then close out each piece of feedback by marking it as 'Done' if implemented as suggested or otherwise reply to each review comment. See the [Review](https://go.dev/doc/contribute#review) section of the Contributing Guide for details.)
Related details
Attention set is empty
Submit Requirements:
Code-Review
No-Unresolved-Comments
Review-Enforcement
TryBots-Pass
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Gerrit Bot (Gerrit)
Apr 3, 2026, 11:02:42 AMApr 3
to goph...@pubsubhelper.golang.org, golang-co...@googlegroups.com
Gerrit Bot uploaded new patchset![]( "Open in Gerrit")
Gerrit Bot uploaded patch set #2 to this change.
Related details
Attention set is empty
Submit Requirements:
Code-Review
No-Unresolved-Comments
Review-Enforcement
TryBots-Pass
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Mohammad Seet (Gerrit)
Apr 3, 2026, 11:13:08 AMApr 3
to Gerrit Bot, goph...@pubsubhelper.golang.org, Gopher Robot, golang-co...@googlegroups.com
Mohammad Seet added 1 comment![]( "Open in Gerrit")
Patchset-level comments
File-level comment, Patchset 2 (Latest):
Mohammad Seet . resolved
Done. Cleaned up commit message (wrapped long lines, removed markdown), added bug reference (Updates golang/go#61582). Updated via GitHub PR.
Related details
Attention set is empty
Submit Requirements:
Code-Review
No-Unresolved-Comments
Review-Enforcement
TryBots-Pass
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Gerrit Bot (Gerrit)
Apr 3, 2026, 11:23:35 AMApr 3
to Mohammad Seet, goph...@pubsubhelper.golang.org, golang-co...@googlegroups.com
Attention needed from Dmitri Shuralyov
Gerrit Bot uploaded new patchset![]( "Open in Gerrit")
Gerrit Bot uploaded patch set #3 to this change.
Related details
Attention is currently required from:
- Dmitri Shuralyov
Submit Requirements:
Code-Review
No-Unresolved-Comments
Review-Enforcement
TryBots-Pass
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Mohammad Seet (Gerrit)
Apr 4, 2026, 1:17:20 AMApr 4
to Gerrit Bot, goph...@pubsubhelper.golang.org, Dmitri Shuralyov, Gopher Robot, golang-co...@googlegroups.com
Attention needed from Dmitri Shuralyov
Message from Mohammad Seet![]( "Open in Gerrit")
Done. Removed duplicated title from body and ensured clean formatting.
Related details
Attention is currently required from:
- Dmitri Shuralyov
Submit Requirements:
Code-Review
No-Unresolved-Comments
Review-Enforcement
TryBots-Pass
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Gerrit Bot (Gerrit)
Apr 4, 2026, 1:17:52 AMApr 4
to Mohammad Seet, goph...@pubsubhelper.golang.org, golang-co...@googlegroups.com
Attention needed from Dmitri Shuralyov
Gerrit Bot uploaded new patchset![]( "Open in Gerrit")
Gerrit Bot uploaded patch set #4 to this change.
Related details
Attention is currently required from:
- Dmitri Shuralyov
Submit Requirements:
Code-Review
No-Unresolved-Comments
Review-Enforcement
TryBots-Pass
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Nigel Tao (Gerrit)
8:52 PM (2 hours ago) 8:52 PM
to Mohammad Seet, Gerrit Bot, goph...@pubsubhelper.golang.org, Dmitri Shuralyov, Damien Neil, Gopher Robot, golang-co...@googlegroups.com
Nigel Tao voted Code-Review+2![]( "Open in Gerrit")
No-Unresolved-Comments
Review-Enforcement
TryBots-Pass
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Reply all
Reply to author
Forward
0 new messages