Headline
CVE-2023-36307: Program crashes when processing certain maliciously crafted images by pic4xiu · Pull Request #6 · SimonWaldherr/zplgfa
** DISPUTED ** ZPLGFA 1.1.1 allows attackers to cause a panic (because of an integer index out of range during a ConvertToGraphicField call) via an image of zero width. NOTE: it is unclear whether there are common use cases in which this panic could have any security consequence
I found that in the ConvertToGraphicField function, in the first layer of for loop, if the width is 0, the calculation of line[lineIndex] will cause the program to go out of bounds. Because the line definition statement is line := make([]uint8, width), the program directly crashes.
func ConvertToGraphicField(source image.Image, graphicType GraphicType) string {
var gfType string
var lastLine string
size := source.Bounds().Size()
width := size.X / 8
height := size.Y
if size.Y%8 != 0 {
width = width + 1
}
var GraphicFieldData string
for y := 0; y < size.Y; y++ {
line := make([]uint8, width)
lineIndex := 0
index := uint8(0)
currentByte := line[lineIndex]//line[0] is out of bounds
...
The reason why did not choose to introduce error to indicate that the program went wrong is that it seems reasonable to return an empty string, because the image width is 0.