Executive Summary

This vulnerability occurs in the webp decoder when it processes a VP8 chunk that has dimensions not matching the canvas size. This mismatch can cause the decoder to panic, which means it may crash or stop functioning unexpectedly.

Useful 0 Not Useful 0

Impact Analysis

The impact of this vulnerability is that the webp decoder may panic or crash when handling certain malformed VP8 chunks. This could lead to denial of service or application instability if an attacker supplies crafted images with mismatched dimensions.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability occurs when the webp decoder in Go's x/image/webp package processes a VP8 chunk with width and height dimensions that do not match the canvas size, potentially causing a panic.

To detect this vulnerability on your system, you can test decoding of WebP images that have mismatched VP8 chunk dimensions and canvas sizes, especially those containing ALPH chunks.

There are no specific commands provided in the resources, but you can write or use Go code that attempts to decode suspicious WebP images using the Decode or DecodeConfig functions from the golang.org/x/image/webp package before version v0.43.0 and observe if a panic occurs.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability, update the golang.org/x/image/webp package to version v0.43.0 or later, where the issue has been fixed.

Avoid processing untrusted WebP images with mismatched VP8 chunk dimensions and canvas sizes until the update is applied.

Useful 0 Not Useful 0