diff --git a/src/ImageSharp/Formats/Png/PngDecoderCore.cs b/src/ImageSharp/Formats/Png/PngDecoderCore.cs index 3bca4b261f..7149b74d89 100644 --- a/src/ImageSharp/Formats/Png/PngDecoderCore.cs +++ b/src/ImageSharp/Formats/Png/PngDecoderCore.cs @@ -1124,12 +1124,23 @@ namespace SixLabors.ImageSharp.Formats.Png { var chunk = new PngChunk(); this.ReadChunkLength(chunk); - if (chunk.Length < 0) + + if (chunk.Length == -1) { + // IEND return null; } + if (chunk.Length < 0 || chunk.Length > this.currentStream.Length - this.currentStream.Position) + { + // Not a valid chunk so we skip back all but one of the four bytes we have just read. + // That lets us read one byte at a time until we reach a known chunk. + this.currentStream.Position -= 3; + return chunk; + } + this.ReadChunkType(chunk); + if (chunk.Type == PngChunkTypes.Data) { return chunk; diff --git a/tests/ImageSharp.Tests/TestImages.cs b/tests/ImageSharp.Tests/TestImages.cs index dbcacb4f37..8af9d170b9 100644 --- a/tests/ImageSharp.Tests/TestImages.cs +++ b/tests/ImageSharp.Tests/TestImages.cs @@ -20,6 +20,7 @@ namespace SixLabors.ImageSharp.Tests public const string Blur = "Png/blur.png"; public const string Indexed = "Png/indexed.png"; public const string Splash = "Png/splash.png"; + public const string CorruptedChunk = "Png/big-corrupted-chunk.png"; public const string Cross = "Png/cross.png"; public const string Powerpoint = "Png/pp.png"; public const string SplashInterlaced = "Png/splash-interlaced.png"; diff --git a/tests/Images/Input/Png/big-corrupted-chunk.png b/tests/Images/Input/Png/big-corrupted-chunk.png new file mode 100644 index 0000000000..8302689771 Binary files /dev/null and b/tests/Images/Input/Png/big-corrupted-chunk.png differ