commit | cb227cd2c919b27c6206fe0c1041a8bcc677949d | [log] [tgz] |
---|---|---|
author | Damien Neil <dneil@google.com> | Fri Jul 07 18:28:45 2023 |
committer | Gopher Robot <gobot@golang.org> | Tue Aug 01 17:46:51 2023 |
tree | 80708a70ece47550e0848a21267d7657037dc65c | |
parent | a5392f068b20c5126e356d1987f3eb74fffe1af2 [diff] |
tiff: limit work when decoding malicious images Fix two paths by which a malicious image could cause unreasonable amounts of CPU consumption while decoding. Avoid iterating over every horizontal pixel when decoding a 0-height tiled image. Limit the amount of data that will be decompressed per tile. Thanks to Philippe Antoine (Catena cyber) for reporting this issue. Fixes CVE-2023-29407 Fixes CVE-2023-29408 Fixes golang/go#61581 Fixes golang/go#61582 Change-Id: I8cbb26fa06843c6fe9fa99810cb1315431fa7d1d Reviewed-on: https://go-review.googlesource.com/c/image/+/514897 Reviewed-by: Roland Shoemaker <roland@golang.org> TryBot-Result: Gopher Robot <gobot@golang.org> Auto-Submit: Damien Neil <dneil@google.com> Run-TryBot: Damien Neil <dneil@google.com>
This repository holds supplementary Go image libraries.
The easiest way to install is to run go get -u golang.org/x/image/...
. You can also manually git clone the repository to $GOPATH/src/golang.org/x/image
.
This repository uses Gerrit for code changes. To learn how to submit changes to this repository, see https://golang.org/doc/contribute.html.
The main issue tracker for the image repository is located at https://github.com/golang/go/issues. Prefix your issue with “x/image:” in the subject line, so it is easy to find.