diff --git a/src/ImageSharp/Formats/Png/PngDecoderCore.cs b/src/ImageSharp/Formats/Png/PngDecoderCore.cs
index f5fc86ee4..090e1e2b0 100644
--- a/src/ImageSharp/Formats/Png/PngDecoderCore.cs
+++ b/src/ImageSharp/Formats/Png/PngDecoderCore.cs
@@ -429,10 +429,16 @@ namespace SixLabors.ImageSharp.Formats.Png
/// The metadata to read to.
/// The data containing physical data.
private void ReadGammaChunk(PngMetadata pngMetadata, ReadOnlySpan data)
+ {
+ if (data.Length < 4)
+ {
+ PngThrowHelper.ThrowInvalidGamma();
+ }
- // The value is encoded as a 4-byte unsigned integer, representing gamma times 100000.
// For example, a gamma of 1/2.2 would be stored as 45455.
- => pngMetadata.Gamma = BinaryPrimitives.ReadUInt32BigEndian(data) * 1e-5F;
+ // The value is encoded as a 4-byte unsigned integer, representing gamma times 100000.
+ pngMetadata.Gamma = BinaryPrimitives.ReadUInt32BigEndian(data) * 1e-5F;
+ }
///
/// Initializes the image and various buffers needed for processing
diff --git a/src/ImageSharp/Formats/Png/PngThrowHelper.cs b/src/ImageSharp/Formats/Png/PngThrowHelper.cs
index ae7d16ec7..07372dae2 100644
--- a/src/ImageSharp/Formats/Png/PngThrowHelper.cs
+++ b/src/ImageSharp/Formats/Png/PngThrowHelper.cs
@@ -24,6 +24,9 @@ namespace SixLabors.ImageSharp.Formats.Png
[MethodImpl(InliningOptions.ColdPath)]
public static void ThrowMissingPalette() => throw new InvalidImageContentException("PNG Image does not contain a palette chunk");
+ [MethodImpl(InliningOptions.ColdPath)]
+ public static void ThrowInvalidGamma() => throw new InvalidImageContentException("PNG Image does not contain enough data for the gamma chunk");
+
[MethodImpl(InliningOptions.ColdPath)]
public static void ThrowInvalidChunkType() => throw new InvalidImageContentException("Invalid PNG data.");
diff --git a/tests/ImageSharp.Tests/Formats/Png/PngDecoderTests.cs b/tests/ImageSharp.Tests/Formats/Png/PngDecoderTests.cs
index a92856c73..7fd87258b 100644
--- a/tests/ImageSharp.Tests/Formats/Png/PngDecoderTests.cs
+++ b/tests/ImageSharp.Tests/Formats/Png/PngDecoderTests.cs
@@ -281,6 +281,21 @@ namespace SixLabors.ImageSharp.Tests.Formats.Png
Assert.Contains("PNG Image does not contain a palette chunk", ex.Message);
}
+ [Theory]
+ [WithFile(TestImages.Png.Bad.InvalidGammaChunk, PixelTypes.Rgba32)]
+ public void Decode_InvalidGammaChunk_ThrowsException(TestImageProvider provider)
+ where TPixel : unmanaged, IPixel
+ {
+ Exception ex = Record.Exception(
+ () =>
+ {
+ using Image image = provider.GetImage(PngDecoder);
+ image.DebugSave(provider);
+ });
+ Assert.NotNull(ex);
+ Assert.Contains("PNG Image does not contain enough data for the gamma chunk", ex.Message);
+ }
+
[Theory]
[WithFile(TestImages.Png.Bad.BitDepthZero, PixelTypes.Rgba32)]
[WithFile(TestImages.Png.Bad.BitDepthThree, PixelTypes.Rgba32)]
diff --git a/tests/ImageSharp.Tests/TestImages.cs b/tests/ImageSharp.Tests/TestImages.cs
index c6bd20a7d..5bce99ce1 100644
--- a/tests/ImageSharp.Tests/TestImages.cs
+++ b/tests/ImageSharp.Tests/TestImages.cs
@@ -129,6 +129,7 @@ namespace SixLabors.ImageSharp.Tests
public const string CorruptedChunk = "Png/big-corrupted-chunk.png";
public const string MissingPaletteChunk1 = "Png/missing_plte.png";
public const string MissingPaletteChunk2 = "Png/missing_plte_2.png";
+ public const string InvalidGammaChunk = "Png/length_gama.png";
// Zlib errors.
public const string ZlibOverflow = "Png/zlib-overflow.png";
diff --git a/tests/Images/Input/Png/length_gama.png b/tests/Images/Input/Png/length_gama.png
new file mode 100644
index 000000000..caf0fb01d
--- /dev/null
+++ b/tests/Images/Input/Png/length_gama.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:824766b34739727c722e88611d7b55401452c2970cd433f56e5f9f1b36d6950d
+size 1285