Bounds check. Fix #849 (#851)

7 years ago · 512647489f
4 changed files with 14 additions and 2 deletions
--- a/src/ImageSharp/Formats/Png/Zlib/ZlibInflateStream.cs
+++ b/src/ImageSharp/Formats/Png/Zlib/ZlibInflateStream.cs
@ -126,8 +126,9 @@ namespace SixLabors.ImageSharp.Formats.Png.Zlib
            int bytesToRead = Math.Min(count, this.currentDataRemaining);
            this.currentDataRemaining -= bytesToRead;
            int bytesRead = this.innerStream.Read(buffer, offset, bytesToRead);
+            long length = this.innerStream.Length;

-            // keep reading data until we've reached the end of the stream or filled the buffer
+            // Keep reading data until we've reached the end of the stream or filled the buffer
            while (this.currentDataRemaining == 0 && bytesRead < count)
            {
                this.currentDataRemaining = this.getData();
@ -138,6 +139,12 @@ namespace SixLabors.ImageSharp.Formats.Png.Zlib
                }

                offset += bytesRead;
+
+                if (offset >= length)
+                {
+                    return bytesRead;
+                }
+
                bytesToRead = Math.Min(count - bytesRead, this.currentDataRemaining);
                this.currentDataRemaining -= bytesToRead;
                bytesRead += this.innerStream.Read(buffer, offset, bytesToRead);
--- a/tests/ImageSharp.Tests/Formats/Png/PngDecoderTests.cs
+++ b/tests/ImageSharp.Tests/Formats/Png/PngDecoderTests.cs
@ -41,7 +41,8 @@ namespace SixLabors.ImageSharp.Tests.Formats.Png

            TestImages.Png.Rgb24BppTrans,
            TestImages.Png.GrayAlpha8Bit,
-            TestImages.Png.Gray1BitTrans
+            TestImages.Png.Gray1BitTrans,
+            TestImages.Png.Bad.ZlibOverflow
        };

        public static readonly string[] TestImages48Bpp =
--- a/tests/ImageSharp.Tests/TestImages.cs
+++ b/tests/ImageSharp.Tests/TestImages.cs
@ -85,6 +85,7 @@ namespace SixLabors.ImageSharp.Tests
                public const string ChunkLength1 = "Png/chunklength1.png";
                public const string ChunkLength2 = "Png/chunklength2.png";
                public const string CorruptedChunk = "Png/big-corrupted-chunk.png";
+                public const string ZlibOverflow = "Png/zlib-overflow.png";
            }

            public static readonly string[] All =
--- a/tests/Images/Input/Png/zlib-overflow.png
+++ b/tests/Images/Input/Png/zlib-overflow.png
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:2705125a7b108c7ef4e13872be88b991cd06ba97d81a306f70f58749cec53514
+size 10725