Merge pull request #2718 from SixLabors/js/check-palette-index

Limit Read Palette Indices

src/ImageSharp/Formats/Png/PngScanlineProcessor.cs

@@ -199,11 +199,12 @@ internal static class PngScanlineProcessor
         ref TPixel rowSpanRef = ref MemoryMarshal.GetReference(rowSpan);
         ref Color paletteBase = ref MemoryMarshal.GetReference(palette.Value.Span);
         uint offset = pixelOffset + frameControl.XOffset;
+        int maxIndex = palette.Value.Length - 1;
 
         for (nuint x = offset, o = 0; x < frameControl.XMax; x += increment, o++)
         {
             uint index = Unsafe.Add(ref scanlineSpanRef, o);
-            pixel.FromRgba32(Unsafe.Add(ref paletteBase, index).ToRgba32());
+            pixel.FromRgba32(Unsafe.Add(ref paletteBase, (int)Math.Min(index, maxIndex)).ToRgba32());
             Unsafe.Add(ref rowSpanRef, x) = pixel;
         }
     }

tests/ImageSharp.Tests/Formats/Png/PngDecoderTests.cs

@@ -693,4 +693,12 @@ public partial class PngDecoderTests
         string path = Path.GetFullPath(Path.Combine(TestEnvironment.InputImagesDirectoryFullPath, file));
         _ = Image.Identify(path);
     }
+
+    [Theory]
+    [InlineData(TestImages.Png.Bad.Issue2714BadPalette)]
+    public void Decode_BadPalette(string file)
+    {
+        string path = Path.GetFullPath(Path.Combine(TestEnvironment.InputImagesDirectoryFullPath, file));
+        using Image image = Image.Load(path);
+    }
 }

tests/ImageSharp.Tests/TestImages.cs

@@ -192,6 +192,8 @@ public static class TestImages
 
             public const string BadZTXT = "Png/issues/bad-ztxt.png";
             public const string BadZTXT2 = "Png/issues/bad-ztxt2.png";
+
+            public const string Issue2714BadPalette = "Png/issues/Issue_2714.png";
         }
     }
 

tests/Images/Input/Png/issues/Issue_2714.png

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:9a4b6efc3090dbd70ae9efe97ea817464845263536beea4e80fd7c884dee6c5a
+size 128