x/image/bmp: hang on degenerate image

[dvyukov]

The following program takes 20 seconds to run. The image size is 0x538771456, so it passes the image size sanity check after DecodeConfig. But bmp package actually reads in and decodes every row. Decode should either produce an error or instantly return a 0x0 image.

package main

import (
    "bytes"
    "golang.org/x/image/bmp"
)

func main() {
    data := []byte("BM6\x03\x00\x00\x00\x00\x00\x006\x00\x00\x00(\x00\x00\x00\x00\x00" +
        "\x00\x00\x00\x00\x1d \x01\x00\x18\x00\x00\x00\x00\x00\x00\x00\x00\x1d V" +
        "a\x00lue>`\x0e\x00\x00n\t\x00\x00\x00\x00\x00\x00\x00\x00" +
        "\x00\x00")
    cfg, err := bmp.DecodeConfig(bytes.NewReader(data))
    if err != nil {
        return 0
    }
    if cfg.Width*cfg.Height > 1e6 {
        return 0
    }
    img, err := bmp.Decode(bytes.NewReader(data))
    if err != nil {
        return
    }
    var w bytes.Buffer
    bmp.Encode(&w, img)
}

on commit 4a3ed0c1249ebedab3c715c000034638f1cad002

[gopherbot]

CL https://golang.org/cl/9836 mentions this issue.