Golang Excessive Memory Allocation Vulnerability in Font Parsing

A vulnerability exists in the Golang package 'golang.org/x/image/font/sfnt' prior to version 0.39.0, where parsing a malicious font file can lead to excessive memory allocation. This issue arises in the 'io.ReaderAt' path when the 'GPOS PairPos' tables are processed. The vulnerability allows for a multi-gigabyte allocation that can crash the process, as unchecked class counts from the font file are multiplied and can exceed available memory. Additionally, the parsing functions do not validate that derived indices are within bounds, further exacerbating the issue.

Impact

Exploitation of this vulnerability causes the process to run out of memory and terminate, a condition known as 'OOM-killing'.

Reproduction

The vulnerability can be reproduced by parsing a crafted font file that includes a 'GPOS PairPos' table with class counts set to 65535. This can be done using the 'golang.org/x/image/font/sfnt' package, specifically through the 'io.ReaderAt' path, which is unbounded and susceptible to such manipulations. The '[]byte' path is not affected, as it is limited by the slice length.

Remediation

Users should update to 'golang.org/x/image' version 0.39.0 or later, where this vulnerability has been addressed by adding proper validation and bounds checks in the 'GPOS' parsing to prevent excessive memory allocation.