vp8l: reject images with dimensions exceeding 128 megapixels#31
vp8l: reject images with dimensions exceeding 128 megapixels#31herdiyana256 wants to merge 1 commit into
Conversation
|
Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). View this failed invocation of the CLA check for more information. For the most up to date status, view the checks section at the bottom of the pull request. |
A crafted VP8L header with width=16384 and height=16384 (the maximum values encodable in 14-bit fields) causes decodePix to allocate 4*16384*16384 = 1,073,741,824 bytes (~1 GB) per Decode call. The allocation succeeds silently: Decode returns a nil error, so callers cannot detect or limit the resource consumption. Add a pixel-count guard in decodeHeader, before any pixel data is read, that rejects images whose width*height exceeds 1<<27 (~128 megapixels, 512 MB at 4 bytes per pixel). This is consistent with the guard added to the tiff decoder for CVE-2026-33809 (golang/go#78267) and with the existing canvas-size check in the VP8X code path in the webp package. Fixes golang/go#XXXXX
herdiyana256
force-pushed
the
fix/vp8l-oversized-dimensions-oom
branch
from
313d32b to
2202243
Compare
|
This PR (HEAD: 2202243) has been imported to Gerrit for code review. Please visit Gerrit at https://go-review.googlesource.com/c/image/+/774460. Important tips:
|
herdiyana256
changed the title
|
Message from Gopher Robot: Patch Set 1: (1 comment) Please don’t reply on this GitHub thread. Visit golang.org/cl/774460. |
|
Message from Gopher Robot: Patch Set 1: Congratulations on opening your first change. Thank you for your contribution! Next steps: Most changes in the Go project go through a few rounds of revision. This can be Please don’t reply on this GitHub thread. Visit golang.org/cl/774460. |
|
Message from herdiyanitdev: Patch Set 1: (1 comment) Please don’t reply on this GitHub thread. Visit golang.org/cl/774460. |
|
Message from herdiyanitdev: Patch Set 2: (1 comment) Please don’t reply on this GitHub thread. Visit golang.org/cl/774460. |
|
Message from herdiyanitdev: Patch Set 3: (1 comment) Please don’t reply on this GitHub thread. Visit golang.org/cl/774460. |
|
Message from herdiyanitdev: Patch Set 3: Code-Review+1 Please don’t reply on this GitHub thread. Visit golang.org/cl/774460. |
2 participants
A crafted VP8L header with width=16384 and height=16384 (the
maximum values encodable in 14-bit fields) causes decodePix to
allocate 41638416384 = 1,073,741,824 bytes (~1 GB) per Decode
call. The allocation succeeds silently: Decode returns a nil
error, so callers cannot detect or limit the resource consumption.
Attack: a 28-byte file is sufficient to trigger the allocation.
No authentication or special knowledge is required. Five concurrent
requests produce ~5.37 GB of heap pressure, enough to OOM-kill a
typical containerized service.
Fix: add a pixel-count guard in decodeHeader, before any pixel
data is read, that returns an error when width*height exceeds
1<<27 (~128 megapixels; 512 MB at 4 bytes per pixel).
This is consistent with:
(x/image/tiff: OOM from malicious IFD offset go#78267, fixed in v0.38.0)
A regression test is included: TestDecodeOversizedDimensions
verifies that the crafted 28-byte input returns an error without
allocating the 1 GB buffer.
Updates golang/go#78267