zeni/go-chart
1
0
Fork 0
Code Issues Pull requests Projects Releases 2 Packages Wiki Activity Actions

narrow fix for CVE-2024-40060

Browse source
This commit is contained in:
Will Charczuk 2024-08-23 08:41:44 -07:00
parent a334e8e43a
commit 218e744a87
3 changed files with 41 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

16
box.go
View file

@ -254,6 +254,22 @@ func (b Box) OuterConstrain(bounds, other Box) Box {
return newBox return newBox
} }
func (b Box) Validate() error {
if b.Left < 0 {
return fmt.Errorf("invalid left; must be >= 0")
}
if b.Right < 0 {
return fmt.Errorf("invalid right; must be > 0")
}
if b.Top < 0 {
return fmt.Errorf("invalid top; must be > 0")
}
if b.Bottom < 0 {
return fmt.Errorf("invalid bottom; must be > 0")
}
return nil
}
// BoxCorners is a box with independent corners. // BoxCorners is a box with independent corners.
type BoxCorners struct { type BoxCorners struct {
TopLeft, TopRight, BottomRight, BottomLeft Point TopLeft, TopRight, BottomRight, BottomLeft Point

19
chart_test.go
View file

@ -573,3 +573,22 @@ func TestChartE2ELineWithFill(t *testing.T) {
testutil.AssertEqual(t, defaultSeriesColor, at(i, 0, 49)) testutil.AssertEqual(t, defaultSeriesColor, at(i, 0, 49))
testutil.AssertEqual(t, defaultSeriesColor, at(i, 49, 0)) testutil.AssertEqual(t, defaultSeriesColor, at(i, 49, 0))
} }
func Test_Chart_cve(t *testing.T) {
poc := StackedBarChart{
Title: "poc",
Bars: []StackedBar{
{
Name: "11111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111",
Values: []Value{
{Value: 1, Label: "infinite"},
{Value: 1, Label: "loop"},
},
},
},
}
var imgContent bytes.Buffer
err := poc.Render(PNG, &imgContent)
testutil.AssertNotNil(t, err)
}

6
stacked_bar_chart.go
View file

@ -118,12 +118,18 @@ func (sbc StackedBarChart) Render(rp RendererProvider, w io.Writer) error {
var canvasBox Box var canvasBox Box
if sbc.IsHorizontal { if sbc.IsHorizontal {
canvasBox = sbc.getHorizontalAdjustedCanvasBox(r, sbc.getDefaultCanvasBox()) canvasBox = sbc.getHorizontalAdjustedCanvasBox(r, sbc.getDefaultCanvasBox())
if err := canvasBox.Validate(); err != nil {
return fmt.Errorf("invalid canvas box: %w", err)
}
sbc.drawCanvas(r, canvasBox) sbc.drawCanvas(r, canvasBox)
sbc.drawHorizontalBars(r, canvasBox) sbc.drawHorizontalBars(r, canvasBox)
sbc.drawHorizontalXAxis(r, canvasBox) sbc.drawHorizontalXAxis(r, canvasBox)
sbc.drawHorizontalYAxis(r, canvasBox) sbc.drawHorizontalYAxis(r, canvasBox)
} else { } else {
canvasBox = sbc.getAdjustedCanvasBox(r, sbc.getDefaultCanvasBox()) canvasBox = sbc.getAdjustedCanvasBox(r, sbc.getDefaultCanvasBox())
if err := canvasBox.Validate(); err != nil {
return fmt.Errorf("invalid canvas box: %w", err)
}
sbc.drawCanvas(r, canvasBox) sbc.drawCanvas(r, canvasBox)
sbc.drawBars(r, canvasBox) sbc.drawBars(r, canvasBox)
sbc.drawXAxis(r, canvasBox) sbc.drawXAxis(r, canvasBox)