From 7a7508ffd923ffe222000ec497b9b1e224c77e86 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 17 Aug 2023 06:38:41 +0000 Subject: [PATCH] Bump golang.org/x/image from 0.9.0 to 0.11.0 Bumps [golang.org/x/image](https://github.com/golang/image) from 0.9.0 to 0.11.0. - [Commits](https://github.com/golang/image/compare/v0.9.0...v0.11.0) --- updated-dependencies: - dependency-name: golang.org/x/image dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- go.mod | 2 +- go.sum | 5 ++-- vendor/golang.org/x/image/bmp/reader.go | 14 +++++++--- vendor/golang.org/x/image/tiff/reader.go | 33 ++++++++++++++++++++---- vendor/modules.txt | 2 +- 5 files changed, 43 insertions(+), 13 deletions(-) diff --git a/go.mod b/go.mod index 126c9de8a3..3a3a3033ea 100644 --- a/go.mod +++ b/go.mod @@ -89,7 +89,7 @@ require ( go.opentelemetry.io/otel/trace v1.16.0 golang.org/x/crypto v0.12.0 golang.org/x/exp v0.0.0-20221026004748-78e5e7837ae6 - golang.org/x/image v0.9.0 + golang.org/x/image v0.11.0 golang.org/x/net v0.14.0 golang.org/x/oauth2 v0.10.0 golang.org/x/sync v0.3.0 diff --git a/go.sum b/go.sum index ceced9214e..ba5985646b 100644 --- a/go.sum +++ b/go.sum @@ -2088,8 +2088,8 @@ golang.org/x/image v0.0.0-20210607152325-775e3b0c77b9/go.mod h1:023OzeP/+EPmXeap golang.org/x/image v0.0.0-20210628002857-a66eb6448b8d/go.mod h1:023OzeP/+EPmXeapQh35lcL3II3LrY8Ic+EFFKVhULM= golang.org/x/image v0.0.0-20211028202545-6944b10bf410/go.mod h1:023OzeP/+EPmXeapQh35lcL3II3LrY8Ic+EFFKVhULM= golang.org/x/image v0.0.0-20220302094943-723b81ca9867/go.mod h1:023OzeP/+EPmXeapQh35lcL3II3LrY8Ic+EFFKVhULM= -golang.org/x/image v0.9.0 h1:QrzfX26snvCM20hIhBwuHI/ThTg18b/+kcKdXHvnR+g= -golang.org/x/image v0.9.0/go.mod h1:jtrku+n79PfroUbvDdeUWMAI+heR786BofxrbiSF+J0= +golang.org/x/image v0.11.0 h1:ds2RoQvBvYTiJkwpSFDwCcDFNX7DqjL2WsUgTNk0Ooo= +golang.org/x/image v0.11.0/go.mod h1:bglhjqbqVuEb9e9+eNR45Jfu7D+T4Qan+NhQk8Ck2P8= golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU= golang.org/x/lint v0.0.0-20190301231843-5614ed5bae6f/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= @@ -2421,7 +2421,6 @@ golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= golang.org/x/text v0.10.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= -golang.org/x/text v0.11.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= golang.org/x/text v0.12.0 h1:k+n5B8goJNdU7hSvEtMUz3d1Q6D/XW4COJSJR6fN0mc= golang.org/x/text v0.12.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= diff --git a/vendor/golang.org/x/image/bmp/reader.go b/vendor/golang.org/x/image/bmp/reader.go index e165c2e398..1939c1120c 100644 --- a/vendor/golang.org/x/image/bmp/reader.go +++ b/vendor/golang.org/x/image/bmp/reader.go @@ -191,14 +191,22 @@ func decodeConfig(r io.Reader) (config image.Config, bitsPerPixel int, topDown b } switch bpp { case 8: - if offset != fileHeaderLen+infoLen+256*4 { + colorUsed := readUint32(b[46:50]) + // If colorUsed is 0, it is set to the maximum number of colors for the given bpp, which is 2^bpp. + if colorUsed == 0 { + colorUsed = 256 + } else if colorUsed > 256 { return image.Config{}, 0, false, false, ErrUnsupported } - _, err = io.ReadFull(r, b[:256*4]) + + if offset != fileHeaderLen+infoLen+colorUsed*4 { + return image.Config{}, 0, false, false, ErrUnsupported + } + _, err = io.ReadFull(r, b[:colorUsed*4]) if err != nil { return image.Config{}, 0, false, false, err } - pcm := make(color.Palette, 256) + pcm := make(color.Palette, colorUsed) for i := range pcm { // BMP images are stored in BGR order rather than RGB order. // Every 4th byte is padding. diff --git a/vendor/golang.org/x/image/tiff/reader.go b/vendor/golang.org/x/image/tiff/reader.go index 45cc056f41..f31569b6da 100644 --- a/vendor/golang.org/x/image/tiff/reader.go +++ b/vendor/golang.org/x/image/tiff/reader.go @@ -8,13 +8,13 @@ package tiff // import "golang.org/x/image/tiff" import ( + "bytes" "compress/zlib" "encoding/binary" "fmt" "image" "image/color" "io" - "io/ioutil" "math" "golang.org/x/image/ccitt" @@ -579,6 +579,11 @@ func newDecoder(r io.Reader) (*decoder, error) { default: return nil, UnsupportedError("color model") } + if d.firstVal(tPhotometricInterpretation) != pRGB { + if len(d.features[tBitsPerSample]) != 1 { + return nil, UnsupportedError("extra samples") + } + } return d, nil } @@ -629,6 +634,13 @@ func Decode(r io.Reader) (img image.Image, err error) { blockWidth = int(d.firstVal(tTileWidth)) blockHeight = int(d.firstVal(tTileLength)) + // The specification says that tile widths and lengths must be a multiple of 16. + // We currently permit invalid sizes, but reject anything too small to limit the + // amount of work a malicious input can force us to perform. + if blockWidth < 8 || blockHeight < 8 { + return nil, FormatError("tile size is too small") + } + if blockWidth != 0 { blocksAcross = (d.config.Width + blockWidth - 1) / blockWidth } @@ -681,6 +693,11 @@ func Decode(r io.Reader) (img image.Image, err error) { } } + if blocksAcross == 0 || blocksDown == 0 { + return + } + // Maximum data per pixel is 8 bytes (RGBA64). + blockMaxDataSize := int64(blockWidth) * int64(blockHeight) * 8 for i := 0; i < blocksAcross; i++ { blkW := blockWidth if !blockPadding && i == blocksAcross-1 && d.config.Width%blockWidth != 0 { @@ -708,15 +725,15 @@ func Decode(r io.Reader) (img image.Image, err error) { inv := d.firstVal(tPhotometricInterpretation) == pWhiteIsZero order := ccittFillOrder(d.firstVal(tFillOrder)) r := ccitt.NewReader(io.NewSectionReader(d.r, offset, n), order, ccitt.Group3, blkW, blkH, &ccitt.Options{Invert: inv, Align: false}) - d.buf, err = ioutil.ReadAll(r) + d.buf, err = readBuf(r, d.buf, blockMaxDataSize) case cG4: inv := d.firstVal(tPhotometricInterpretation) == pWhiteIsZero order := ccittFillOrder(d.firstVal(tFillOrder)) r := ccitt.NewReader(io.NewSectionReader(d.r, offset, n), order, ccitt.Group4, blkW, blkH, &ccitt.Options{Invert: inv, Align: false}) - d.buf, err = ioutil.ReadAll(r) + d.buf, err = readBuf(r, d.buf, blockMaxDataSize) case cLZW: r := lzw.NewReader(io.NewSectionReader(d.r, offset, n), lzw.MSB, 8) - d.buf, err = ioutil.ReadAll(r) + d.buf, err = readBuf(r, d.buf, blockMaxDataSize) r.Close() case cDeflate, cDeflateOld: var r io.ReadCloser @@ -724,7 +741,7 @@ func Decode(r io.Reader) (img image.Image, err error) { if err != nil { return nil, err } - d.buf, err = ioutil.ReadAll(r) + d.buf, err = readBuf(r, d.buf, blockMaxDataSize) r.Close() case cPackBits: d.buf, err = unpackBits(io.NewSectionReader(d.r, offset, n)) @@ -748,6 +765,12 @@ func Decode(r io.Reader) (img image.Image, err error) { return } +func readBuf(r io.Reader, buf []byte, lim int64) ([]byte, error) { + b := bytes.NewBuffer(buf[:0]) + _, err := b.ReadFrom(io.LimitReader(r, lim)) + return b.Bytes(), err +} + func init() { image.RegisterFormat("tiff", leHeader, Decode, DecodeConfig) image.RegisterFormat("tiff", beHeader, Decode, DecodeConfig) diff --git a/vendor/modules.txt b/vendor/modules.txt index c87f0811ce..b0a88bd93d 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -1934,7 +1934,7 @@ golang.org/x/crypto/ssh/knownhosts ## explicit; go 1.18 golang.org/x/exp/constraints golang.org/x/exp/slices -# golang.org/x/image v0.9.0 +# golang.org/x/image v0.11.0 ## explicit; go 1.12 golang.org/x/image/bmp golang.org/x/image/ccitt