bmp: reject images exceeding 128 megapixels on 64-bit platforms#33
bmp: reject images exceeding 128 megapixels on 64-bit platforms#33herdiyana256 wants to merge 1 commit into
Conversation
|
This PR (HEAD: 6962467) has been imported to Gerrit for code review. Please visit Gerrit at https://go-review.googlesource.com/c/image/+/791840. Important tips:
|
|
Message from Gopher Robot: Patch Set 1: (1 comment) Please don’t reply on this GitHub thread. Visit golang.org/cl/791840. |
|
Message from Ian Lance Taylor: Patch Set 1: (1 comment) Please don’t reply on this GitHub thread. Visit golang.org/cl/791840. |
6962467 to
7329e92
Compare
The safemath.Mul3 check added in CL 787680 prevents integer overflow but does not cap large-but-valid allocations on 64-bit systems. For a 16384x16384 image at 32bpp, the multiplication does not overflow int64, so the check passes and image.NewNRGBA allocates 1 GB before returning an EOF error. Under concurrent load, this exhausts memory before the garbage collector can reclaim it. Add a pixel-count limit of 1<<27 (128 megapixels) consistent with the TIFF decoder fix for CVE-2026-33809. A regression test verifies the 54-byte attack file from the report is rejected without triggering the allocation.
7329e92 to
a79343f
Compare
|
This PR (HEAD: a79343f) has been imported to Gerrit for code review. Please visit Gerrit at https://go-review.googlesource.com/c/image/+/791840. Important tips:
|
|
Message from herdiyanitdev: Patch Set 2: (1 comment) Please don’t reply on this GitHub thread. Visit golang.org/cl/791840. |
|
Message from herdiyanitdev: Patch Set 3: (1 comment) Please don’t reply on this GitHub thread. Visit golang.org/cl/791840. |
|
Message from Jorropo: Patch Set 3: (1 comment) Please don’t reply on this GitHub thread. Visit golang.org/cl/791840. |
|
Message from herdiyanitdev: Patch Set 3: (1 comment) Please don’t reply on this GitHub thread. Visit golang.org/cl/791840. |
|
Message from herdiyanitdev: Patch Set 3: (1 comment) Please don’t reply on this GitHub thread. Visit golang.org/cl/791840. |
|
This PR is being closed because golang.org/cl/791840 has been abandoned. |
|
Closing this PR as the Go team has determined this is intended behavior per the Security Considerations documentation. Damien Neil abandoned the corresponding CL 791840 and closed golang/go#80169 as not planned. Thanks for the review. |
Fix incomplete memory exhaustion guard in the BMP decoder for 64-bit
platforms.
The safemath.Mul3 check added in CL 787680 prevents integer overflow
but does not cap large-but-valid allocations on 64-bit systems. A
16384x16384 image at 32bpp passes the overflow check and causes a
1 GB allocation in image.NewNRGBA before any pixel data is read.
Add a pixel-count limit of 1<<27 (128 megapixels) consistent with
the TIFF decoder fix for CVE-2026-33809.
A regression test verifies the 54-byte attack file is rejected
without triggering the allocation.
Fixes golang/go#80169