commit | 3bbf4a659e56fde394e7214ddd17673223aca672 | [log] [tgz] |
---|---|---|
author | John Wright <jsw@google.com> | Wed May 22 22:46:48 2024 |
committer | Gopher Robot <gobot@golang.org> | Tue Jun 18 20:19:45 2024 |
tree | 3231f043801199326cb11910bace3ddfa06d1c12 | |
parent | 6c5fa462eb87ac98bad9b09ea3b041dd770fa611 [diff] |
tiff: Validate palette indices when parsing palette-color images The existing implementation will succeed to parse a corrupt or malicious image with color indices out of range of the actual palette, which will eventually result in a panic when the consumer tries to read the color at any corrupted pixel. This issue was originally discovered and filed against a downstream library: https://github.com/disintegration/imaging/issues/165. This is also referenced in https://osv.dev/vulnerability/GHSA-q7pp-wcgr-pffx. Fixes golang/go#67624 Change-Id: I7d7577adb7d549ecfcd59e84e04a92d198d94c18 Reviewed-on: https://go-review.googlesource.com/c/image/+/588115 Auto-Submit: Damien Neil <dneil@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Damien Neil <dneil@google.com>
This repository holds supplementary Go image libraries.
The easiest way to install is to run go get -u golang.org/x/image/...
. You can also manually git clone the repository to $GOPATH/src/golang.org/x/image
.
This repository uses Gerrit for code changes. To learn how to submit changes to this repository, see https://golang.org/doc/contribute.html.
The main issue tracker for the image repository is located at https://github.com/golang/go/issues. Prefix your issue with “x/image:” in the subject line, so it is easy to find.