From 0fa6085611e69e5e4eb2827e8293eb747585a034 Mon Sep 17 00:00:00 2001
From: Brian Popow <popow@gmx.de>
Date: Mon, 21 Feb 2022 12:10:23 +0100
Subject: [PATCH] Throw exception, if gamma chunk does not contain enough data

---
 src/ImageSharp/Formats/Png/PngDecoderCore.cs      | 10 ++++++++--
 src/ImageSharp/Formats/Png/PngThrowHelper.cs      |  3 +++
 .../Formats/Png/PngDecoderTests.cs                | 15 +++++++++++++++
 tests/ImageSharp.Tests/TestImages.cs              |  1 +
 tests/Images/Input/Png/length_gama.png            |  3 +++
 5 files changed, 30 insertions(+), 2 deletions(-)
 create mode 100644 tests/Images/Input/Png/length_gama.png

diff --git a/src/ImageSharp/Formats/Png/PngDecoderCore.cs b/src/ImageSharp/Formats/Png/PngDecoderCore.cs
index f5fc86ee4..090e1e2b0 100644
--- a/src/ImageSharp/Formats/Png/PngDecoderCore.cs
+++ b/src/ImageSharp/Formats/Png/PngDecoderCore.cs
@@ -429,10 +429,16 @@ namespace SixLabors.ImageSharp.Formats.Png
         /// <param name="pngMetadata">The metadata to read to.</param>
         /// <param name="data">The data containing physical data.</param>
         private void ReadGammaChunk(PngMetadata pngMetadata, ReadOnlySpan<byte> data)
+        {
+            if (data.Length < 4)
+            {
+                PngThrowHelper.ThrowInvalidGamma();
+            }
 
-            // The value is encoded as a 4-byte unsigned integer, representing gamma times 100000.
             // For example, a gamma of 1/2.2 would be stored as 45455.
-            => pngMetadata.Gamma = BinaryPrimitives.ReadUInt32BigEndian(data) * 1e-5F;
+            // The value is encoded as a 4-byte unsigned integer, representing gamma times 100000.
+            pngMetadata.Gamma = BinaryPrimitives.ReadUInt32BigEndian(data) * 1e-5F;
+        }
 
         /// <summary>
         /// Initializes the image and various buffers needed for processing
diff --git a/src/ImageSharp/Formats/Png/PngThrowHelper.cs b/src/ImageSharp/Formats/Png/PngThrowHelper.cs
index ae7d16ec7..07372dae2 100644
--- a/src/ImageSharp/Formats/Png/PngThrowHelper.cs
+++ b/src/ImageSharp/Formats/Png/PngThrowHelper.cs
@@ -24,6 +24,9 @@ namespace SixLabors.ImageSharp.Formats.Png
         [MethodImpl(InliningOptions.ColdPath)]
         public static void ThrowMissingPalette() => throw new InvalidImageContentException("PNG Image does not contain a palette chunk");
 
+        [MethodImpl(InliningOptions.ColdPath)]
+        public static void ThrowInvalidGamma() => throw new InvalidImageContentException("PNG Image does not contain enough data for the gamma chunk");
+
         [MethodImpl(InliningOptions.ColdPath)]
         public static void ThrowInvalidChunkType() => throw new InvalidImageContentException("Invalid PNG data.");
 
diff --git a/tests/ImageSharp.Tests/Formats/Png/PngDecoderTests.cs b/tests/ImageSharp.Tests/Formats/Png/PngDecoderTests.cs
index a92856c73..7fd87258b 100644
--- a/tests/ImageSharp.Tests/Formats/Png/PngDecoderTests.cs
+++ b/tests/ImageSharp.Tests/Formats/Png/PngDecoderTests.cs
@@ -281,6 +281,21 @@ namespace SixLabors.ImageSharp.Tests.Formats.Png
             Assert.Contains("PNG Image does not contain a palette chunk", ex.Message);
         }
 
+        [Theory]
+        [WithFile(TestImages.Png.Bad.InvalidGammaChunk, PixelTypes.Rgba32)]
+        public void Decode_InvalidGammaChunk_ThrowsException<TPixel>(TestImageProvider<TPixel> provider)
+            where TPixel : unmanaged, IPixel<TPixel>
+        {
+            Exception ex = Record.Exception(
+                () =>
+                {
+                    using Image<TPixel> image = provider.GetImage(PngDecoder);
+                    image.DebugSave(provider);
+                });
+            Assert.NotNull(ex);
+            Assert.Contains("PNG Image does not contain enough data for the gamma chunk", ex.Message);
+        }
+
         [Theory]
         [WithFile(TestImages.Png.Bad.BitDepthZero, PixelTypes.Rgba32)]
         [WithFile(TestImages.Png.Bad.BitDepthThree, PixelTypes.Rgba32)]
diff --git a/tests/ImageSharp.Tests/TestImages.cs b/tests/ImageSharp.Tests/TestImages.cs
index c6bd20a7d..5bce99ce1 100644
--- a/tests/ImageSharp.Tests/TestImages.cs
+++ b/tests/ImageSharp.Tests/TestImages.cs
@@ -129,6 +129,7 @@ namespace SixLabors.ImageSharp.Tests
                 public const string CorruptedChunk = "Png/big-corrupted-chunk.png";
                 public const string MissingPaletteChunk1 = "Png/missing_plte.png";
                 public const string MissingPaletteChunk2 = "Png/missing_plte_2.png";
+                public const string InvalidGammaChunk = "Png/length_gama.png";
 
                 // Zlib errors.
                 public const string ZlibOverflow = "Png/zlib-overflow.png";
diff --git a/tests/Images/Input/Png/length_gama.png b/tests/Images/Input/Png/length_gama.png
new file mode 100644
index 000000000..caf0fb01d
--- /dev/null
+++ b/tests/Images/Input/Png/length_gama.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:824766b34739727c722e88611d7b55401452c2970cd433f56e5f9f1b36d6950d
+size 1285