While running go-fuzz on one of our services, I discovered an input that raised the following runtime error:
panic: runtime error: slice bounds out of range
goroutine 1 [running]:
github.com/h2non/filetype/matchers/isobmff.GetFtyp(0x7f3b1f727000, 0x1a, 0x1a, 0x489801, 0x4cf652, 0x4cf652, 0x4, 0x240bd42694a81301, 0xc000049c70, 0x40c7ff)
/home/<name>/gocode/src/github.com/h2non/filetype/matchers/isobmff/isobmff.go:27 +0x353
github.com/h2non/filetype/matchers.Heif(0x7f3b1f727000, 0x1a, 0x1a, 0x4a2070)
/home/<name>/gocode/src/github.com/h2non/filetype/matchers/image.go:119 +0xb8
github.com/h2non/filetype/matchers.NewMatcher.func1(0x7f3b1f727000, 0x1a, 0x1a, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, ...)
/home/<name>/gocode/src/github.com/h2non/filetype/matchers/matchers.go:26 +0x81
gopkg.in/h2non/filetype%2ev1.Match(0x7f3b1f727000, 0x1a, 0x1a, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, ...)
/home/<name>/gocode/src/gopkg.in/h2non/filetype.v1/match.go:29 +0x20a
gopkg.in/h2non/filetype%2ev1.Get(...)
/home/<name>/gocode/src/gopkg.in/h2non/filetype.v1/match.go:40
github.com/h2non/filetype.Fuzz(0x7f3b1f727000, 0x1a, 0x1a, 0x4)
/home/<name>/gocode/src/github.com/h2non/filetype/fuzz.go:9 +0x7a
go-fuzz-dep.Main(0xc000049f80, 0x1, 0x1)
/tmp/go-fuzz-build324713724/goroot/src/go-fuzz-dep/main.go:36 +0x1b6
main.main()
/tmp/go-fuzz-build324713724/gopath/src/github.com/h2non/filetype/go.fuzz.main/main.go:15 +0x52
exit status 2