Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: golang/image
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: v0.38.0
Choose a base ref
...
head repository: golang/image
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: v0.39.0
Choose a head ref
  • 3 commits
  • 5 files changed
  • 2 contributors

Commits on Mar 30, 2026

  1. webp: reject VP8X headers with too-large canvases 

    RFC 9649 states that the canvas width * height must be
at most 2^32-1. Enforce this.

This avoids creating an invalid image (which will panic
when manipulated) when decoding a too-large image on
32-bit platforms.

https://www.rfc-editor.org/rfc/rfc9649.html#section-2.7-12

Fixes golang/go#78407
Fixes CVE-2026-33813

Change-Id: I7e2b68374681da4f72ee51ebfd8833006a6a6964
Reviewed-on: https://go-review.googlesource.com/c/image/+/759860
LUCI-TryBot-Result: Go LUCI <[email protected]>
Auto-Submit: Damien Neil <[email protected]>
Reviewed-by: Neal Patel <[email protected]>
    @neild @gopherbot
    neild authored and gopherbot committed Mar 30, 2026
    Configuration menu
    Copy the full SHA
    96edba0 View commit details
    Browse the repository at this point in the history

Commits on Apr 1, 2026

  1. font/sfnt: apply bounds checks before allocating read buffer 

    When using ReadAt to read more than 1MiB of data from a font file,
verify that the file contains the data before allocating the
read buffer. Avoids excessive memory allocation when parsing corrupt
or malicious font files.

Thanks to Andy Gill, ZephrSec Ltd for reporting this issue.

Fixes golang/go#78382
Fixes CVE-2026-33812

Change-Id: Icd5e7388661a76a6af800f0ba0b728c46a6a6964
Reviewed-on: https://go-review.googlesource.com/c/image/+/761180
LUCI-TryBot-Result: Go LUCI <[email protected]>
Auto-Submit: Damien Neil <[email protected]>
Reviewed-by: Neal Patel <[email protected]>
    @neild @gopherbot
    neild authored and gopherbot committed Apr 1, 2026
    Configuration menu
    Copy the full SHA
    854c274 View commit details
    Browse the repository at this point in the history

Commits on Apr 9, 2026

  1. go.mod: update golang.org/x dependencies 

    Update golang.org/x dependencies to their latest tagged versions.

Change-Id: Ibbf25c50cf9f700e7a8fca7ce751350e7629ca2c
Reviewed-on: https://go-review.googlesource.com/c/image/+/764500
LUCI-TryBot-Result: Go LUCI <[email protected]>
Auto-Submit: Gopher Robot <[email protected]>
Reviewed-by: Dmitri Shuralyov <[email protected]>
Reviewed-by: David Chase <[email protected]>
    @gopherbot
    gopherbot committed Apr 9, 2026
    Configuration menu
    Copy the full SHA
    3d5c9b6 View commit details
    Browse the repository at this point in the history
Loading