tiff: Validate palette indices when parsing palette-color images

jswright · gopherbot · commit 3bbf4a659e56 · 2024-06-18T20:19:45.000Z
The existing implementation will succeed to parse a corrupt or malicious image with color indices out of range of the actual palette, which will eventually result in a panic when the consumer tries to read the color at any corrupted pixel. This issue was originally discovered and filed against a downstream library: disintegration/imaging#165. This is also referenced in https://osv.dev/vulnerability/GHSA-q7pp-wcgr-pffx. Fixes golang/go#67624 Change-Id: I7d7577adb7d549ecfcd59e84e04a92d198d94c18 Reviewed-on: https://go-review.googlesource.com/c/image/+/588115 Auto-Submit: Damien Neil <dneil@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Damien Neil <dneil@google.com>
diff --git a/testdata/invalid-palette-ref.tiff b/testdata/invalid-palette-ref.tiff
diff --git a/tiff/reader.go b/tiff/reader.go
@@ -36,7 +36,10 @@ func (e UnsupportedError) Error() string {
 	return "tiff: unsupported feature: " + string(e)
 }
 
-var errNoPixels = FormatError("not enough pixel data")
+var (
+	errNoPixels          = FormatError("not enough pixel data")
+	errInvalidColorIndex = FormatError("invalid color index")
+)
 
 const maxChunkSize = 10 << 20 // 10M
 
@@ -337,13 +340,18 @@ func (d *decoder) decode(dst image.Image, xmin, ymin, xmax, ymax int) error {
 		}
 	case mPaletted:
 		img := dst.(*image.Paletted)
+		pLen := len(d.palette)
 		for y := ymin; y < rMaxY; y++ {
 			for x := xmin; x < rMaxX; x++ {
 				v, ok := d.readBits(d.bpp)
 				if !ok {
 					return errNoPixels
 				}
-				img.SetColorIndex(x, y, uint8(v))
+				idx := uint8(v)
+				if int(idx) >= pLen {
+					return errInvalidColorIndex
+				}
+				img.SetColorIndex(x, y, idx)
 			}
 			d.flushBits()
 		}
diff --git a/tiff/reader_test.go b/tiff/reader_test.go
@@ -414,6 +414,16 @@ func TestLargeIFDEntry(t *testing.T) {
 	}
 }
 
+func TestInvalidPaletteRef(t *testing.T) {
+	contents, err := ioutil.ReadFile(testdataDir + "invalid-palette-ref.tiff")
+	if err != nil {
+		t.Fatal(err)
+	}
+	if _, err := Decode(bytes.NewReader(contents)); err == nil {
+		t.Fatal("Decode with invalid palette index: got nil error, want non-nil")
+	}
+}
+
 // benchmarkDecode benchmarks the decoding of an image.
 func benchmarkDecode(b *testing.B, filename string) {
 	b.Helper()

Original file line number	Diff line number	Diff line change
`@@ -36,7 +36,10 @@ func (e UnsupportedError) Error() string {`
`36`	`36`	`return "tiff: unsupported feature: " + string(e)`
`37`	`37`	`}`
`38`	`38`
`39`		`-var errNoPixels = FormatError("not enough pixel data")`
	`39`	`+var (`
	`40`	`+ errNoPixels = FormatError("not enough pixel data")`
	`41`	`+ errInvalidColorIndex = FormatError("invalid color index")`
	`42`	`+)`
`40`	`43`
`41`	`44`	`const maxChunkSize = 10 << 20 // 10M`
`42`	`45`
`@@ -337,13 +340,18 @@ func (d *decoder) decode(dst image.Image, xmin, ymin, xmax, ymax int) error {`
`337`	`340`	`}`
`338`	`341`	`case mPaletted:`
`339`	`342`	`img := dst.(*image.Paletted)`
	`343`	`+ pLen := len(d.palette)`
`340`	`344`	`for y := ymin; y < rMaxY; y++ {`
`341`	`345`	`for x := xmin; x < rMaxX; x++ {`
`342`	`346`	`v, ok := d.readBits(d.bpp)`
`343`	`347`	`if !ok {`
`344`	`348`	`return errNoPixels`
`345`	`349`	`}`
`346`		`- img.SetColorIndex(x, y, uint8(v))`
	`350`	`+ idx := uint8(v)`
	`351`	`+ if int(idx) >= pLen {`
	`352`	`+ return errInvalidColorIndex`
	`353`	`+ }`
	`354`	`+ img.SetColorIndex(x, y, idx)`
`347`	`355`	`}`
`348`	`356`	`d.flushBits()`
`349`	`357`	`}`