Skip to content

Commit 65dd8bd

Browse files
Merge pull request #3080 from SixLabors/bp/fixIssue3078
Add check for span length in parse PNG pHYs chunk
2 parents 0d53f96 + 5842434 commit 65dd8bd

File tree

3 files changed

+43
-24
lines changed

3 files changed

+43
-24
lines changed

src/ImageSharp/Formats/Png/Chunks/PngPhysical.cs

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -46,6 +46,11 @@ public PngPhysical(uint x, uint y, byte unitSpecifier)
4646
/// <returns>The parsed PhysicalChunkData.</returns>
4747
public static PngPhysical Parse(ReadOnlySpan<byte> data)
4848
{
49+
if (data.Length < 9)
50+
{
51+
PngThrowHelper.ThrowInvalidImageContentException("pHYs chunk is too short");
52+
}
53+
4954
uint hResolution = BinaryPrimitives.ReadUInt32BigEndian(data[..4]);
5055
uint vResolution = BinaryPrimitives.ReadUInt32BigEndian(data.Slice(4, 4));
5156
byte unit = data[8];

src/ImageSharp/Formats/Png/PngThrowHelper.cs

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -9,8 +9,7 @@ namespace SixLabors.ImageSharp.Formats.Png;
99
internal static class PngThrowHelper
1010
{
1111
[DoesNotReturn]
12-
public static void ThrowInvalidImageContentException(string errorMessage, Exception innerException)
13-
=> throw new InvalidImageContentException(errorMessage, innerException);
12+
public static void ThrowInvalidImageContentException(string errorMessage) => throw new InvalidImageContentException(errorMessage);
1413

1514
[DoesNotReturn]
1615
public static void ThrowInvalidHeader() => throw new InvalidImageContentException("PNG Image must contain a header chunk and it must be located before any other chunks.");

tests/ImageSharp.Tests/Formats/Png/PngDecoderTests.Chunks.cs

Lines changed: 37 additions & 22 deletions
Original file line numberDiff line numberDiff line change
@@ -20,40 +20,40 @@ public partial class PngDecoderTests
2020
private static readonly byte[] Raw1X1PngIhdrAndpHYs =
2121
[
2222
// PNG Identifier
23-
0x89, 0x50, 0x4E, 0x47, 0x0D, 0x0A, 0x1A, 0x0A,
23+
0x89, 0x50, 0x4E, 0x47, 0x0D, 0x0A, 0x1A, 0x0A,
2424

25-
// IHDR
26-
0x00, 0x00, 0x00, 0x0D, 0x49, 0x48, 0x44, 0x52, 0x00,
27-
0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x08, 0x02,
28-
0x00, 0x00, 0x00,
25+
// IHDR
26+
0x00, 0x00, 0x00, 0x0D, 0x49, 0x48, 0x44, 0x52, 0x00,
27+
0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x08, 0x02,
28+
0x00, 0x00, 0x00,
2929

30-
// IHDR CRC
31-
0x90, 0x77, 0x53, 0xDE,
30+
// IHDR CRC
31+
0x90, 0x77, 0x53, 0xDE,
3232

33-
// pHYS
34-
0x00, 0x00, 0x00, 0x09, 0x70, 0x48, 0x59, 0x73, 0x00,
35-
0x00, 0x0E, 0xC3, 0x00, 0x00, 0x0E, 0xC3, 0x01,
33+
// pHYS
34+
0x00, 0x00, 0x00, 0x09, 0x70, 0x48, 0x59, 0x73, 0x00,
35+
0x00, 0x0E, 0xC3, 0x00, 0x00, 0x0E, 0xC3, 0x01,
3636

37-
// pHYS CRC
38-
0xC7, 0x6F, 0xA8, 0x64
37+
// pHYS CRC
38+
0xC7, 0x6F, 0xA8, 0x64
3939
];
4040

4141
// Contains the png marker, IDAT and IEND chunks of a 1x1 pixel 32bit png 1 a single black pixel.
4242
private static readonly byte[] Raw1X1PngIdatAndIend =
4343
[
4444
// IDAT
45-
0x00, 0x00, 0x00, 0x0C, 0x49, 0x44, 0x41, 0x54, 0x18,
46-
0x57, 0x63, 0x60, 0x60, 0x60, 0x00, 0x00, 0x00, 0x04,
47-
0x00, 0x01,
45+
0x00, 0x00, 0x00, 0x0C, 0x49, 0x44, 0x41, 0x54, 0x18,
46+
0x57, 0x63, 0x60, 0x60, 0x60, 0x00, 0x00, 0x00, 0x04,
47+
0x00, 0x01,
4848

49-
// IDAT CRC
50-
0x5C, 0xCD, 0xFF, 0x69,
49+
// IDAT CRC
50+
0x5C, 0xCD, 0xFF, 0x69,
5151

52-
// IEND
53-
0x00, 0x00, 0x00, 0x00, 0x49, 0x45, 0x4E, 0x44,
52+
// IEND
53+
0x00, 0x00, 0x00, 0x00, 0x49, 0x45, 0x4E, 0x44,
5454

55-
// IEND CRC
56-
0xAE, 0x42, 0x60, 0x82
55+
// IEND CRC
56+
0xAE, 0x42, 0x60, 0x82
5757
];
5858

5959
[Theory]
@@ -70,13 +70,28 @@ public void Decode_IncorrectCRCForCriticalChunk_ExceptionIsThrown(uint chunkType
7070
WriteChunk(memStream, chunkName);
7171
WriteDataChunk(memStream);
7272

73-
ImageFormatException exception =
73+
InvalidImageContentException exception =
7474
Assert.Throws<InvalidImageContentException>(() => PngDecoder.Instance.Decode<Rgb24>(DecoderOptions.Default, memStream));
7575

7676
Assert.Equal($"CRC Error. PNG {chunkName} chunk is corrupt!", exception.Message);
7777
}
7878
}
7979

80+
// https://github.com/SixLabors/ImageSharp/issues/3078
81+
[Fact]
82+
public void Decode_TruncatedPhysChunk_ExceptionIsThrown()
83+
{
84+
// 24 bytes — PNG signature + truncated pHYs chunk
85+
byte[] payload = Convert.FromHexString(
86+
"89504e470d0a1a0a3030303070485973" +
87+
"3030303030303030");
88+
89+
using MemoryStream stream = new(payload);
90+
InvalidImageContentException exception = Assert.Throws<InvalidImageContentException>(() => Image.Load<Rgba32>(stream));
91+
92+
Assert.Equal("pHYs chunk is too short", exception.Message);
93+
}
94+
8095
private static string GetChunkTypeName(uint value)
8196
{
8297
byte[] data = new byte[4];

0 commit comments

Comments
 (0)