From 457c4f4b82fc70b3974b57ac75062826e491f6ae Mon Sep 17 00:00:00 2001
From: James Jackson-South <james_south@hotmail.com>
Date: Thu, 5 Oct 2017 23:56:43 +1100
Subject: [PATCH] Handle corrupted data portions. Fix #358

---
 src/ImageSharp/Formats/Png/PngDecoderCore.cs   | 13 ++++++++++++-
 tests/ImageSharp.Tests/TestImages.cs           |  1 +
 tests/Images/Input/Png/big-corrupted-chunk.png |  3 +++
 3 files changed, 16 insertions(+), 1 deletion(-)
 create mode 100644 tests/Images/Input/Png/big-corrupted-chunk.png

diff --git a/src/ImageSharp/Formats/Png/PngDecoderCore.cs b/src/ImageSharp/Formats/Png/PngDecoderCore.cs
index 3bca4b261f..7149b74d89 100644
--- a/src/ImageSharp/Formats/Png/PngDecoderCore.cs
+++ b/src/ImageSharp/Formats/Png/PngDecoderCore.cs
@@ -1124,12 +1124,23 @@ namespace SixLabors.ImageSharp.Formats.Png
         {
             var chunk = new PngChunk();
             this.ReadChunkLength(chunk);
-            if (chunk.Length < 0)
+
+            if (chunk.Length == -1)
             {
+                // IEND
                 return null;
             }
 
+            if (chunk.Length < 0 || chunk.Length > this.currentStream.Length - this.currentStream.Position)
+            {
+                // Not a valid chunk so we skip back all but one of the four bytes we have just read.
+                // That lets us read one byte at a time until we reach a known chunk.
+                this.currentStream.Position -= 3;
+                return chunk;
+            }
+
             this.ReadChunkType(chunk);
+
             if (chunk.Type == PngChunkTypes.Data)
             {
                 return chunk;
diff --git a/tests/ImageSharp.Tests/TestImages.cs b/tests/ImageSharp.Tests/TestImages.cs
index dbcacb4f37..8af9d170b9 100644
--- a/tests/ImageSharp.Tests/TestImages.cs
+++ b/tests/ImageSharp.Tests/TestImages.cs
@@ -20,6 +20,7 @@ namespace SixLabors.ImageSharp.Tests
             public const string Blur = "Png/blur.png";
             public const string Indexed = "Png/indexed.png";
             public const string Splash = "Png/splash.png";
+            public const string CorruptedChunk = "Png/big-corrupted-chunk.png";
             public const string Cross = "Png/cross.png";
             public const string Powerpoint = "Png/pp.png";
             public const string SplashInterlaced = "Png/splash-interlaced.png";
diff --git a/tests/Images/Input/Png/big-corrupted-chunk.png b/tests/Images/Input/Png/big-corrupted-chunk.png
new file mode 100644
index 0000000000..2d46460fc0
--- /dev/null
+++ b/tests/Images/Input/Png/big-corrupted-chunk.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:6684985456687682d74b63ad8ef7983f2d6b593a6edc243b1a21c6a64cccf34a
+size 9195