CVE-2023-36307: 
vulnerability analysis and mitigation

ZPLGFA 1.1.1 contains a vulnerability that allows attackers to cause a panic due to an integer index out of range during a ConvertToGraphicField call when processing an image with zero width. This vulnerability was discovered and disclosed in June 2023, affecting the ZPLGFA Go package. The vulnerability is currently marked as DISPUTED, as it is unclear whether there are common use cases in which this panic could have any security consequence (NVD).

The vulnerability exists in the ConvertToGraphicField function where an array index out of bounds error occurs when processing images with zero width. The issue arises because the code creates a slice with make([]uint8, width) where width is zero, and then attempts to access line[lineIndex], leading to a panic. The vulnerability has been assigned a CVSS v3.1 Base Score of 5.5 (MEDIUM) with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H (NVD).

When exploited, the vulnerability causes the application to panic, potentially leading to a denial of service condition. However, the security impact is disputed as it's unclear whether this panic could have significant security consequences in common use cases (NVD).

The issue has been addressed through a pull request that was merged on June 17, 2023. The fix prevents the out-of-bounds array access when processing images with zero width (GitHub PR).