From 8e6cab957b80a56d29ecfbdc3b8f628d09c16d81 Mon Sep 17 00:00:00 2001
From: James Jackson-South <james_south@hotmail.com>
Date: Tue, 26 May 2026 14:06:11 +1000
Subject: [PATCH] Validate PBM max pixel value

---
 src/ImageSharp/Formats/Pbm/PbmDecoderCore.cs        |  5 +++++
 .../ImageSharp.Tests/Formats/Pbm/PbmDecoderTests.cs | 13 +++++++++++++
 2 files changed, 18 insertions(+)

diff --git a/src/ImageSharp/Formats/Pbm/PbmDecoderCore.cs b/src/ImageSharp/Formats/Pbm/PbmDecoderCore.cs
index 989eadda7a..5451d3d461 100644
--- a/src/ImageSharp/Formats/Pbm/PbmDecoderCore.cs
+++ b/src/ImageSharp/Formats/Pbm/PbmDecoderCore.cs
@@ -155,6 +155,11 @@ internal sealed class PbmDecoderCore : ImageDecoderCore
                 ThrowPrematureEof();
             }
 
+            if (this.maxPixelValue <= 0 || this.maxPixelValue >= 65536)
+            {
+                throw new InvalidImageContentException("Invalid max pixel value.");
+            }
+
             if (this.maxPixelValue > 255)
             {
                 this.componentType = PbmComponentType.Short;
diff --git a/tests/ImageSharp.Tests/Formats/Pbm/PbmDecoderTests.cs b/tests/ImageSharp.Tests/Formats/Pbm/PbmDecoderTests.cs
index 476538ccdf..5c52c9785d 100644
--- a/tests/ImageSharp.Tests/Formats/Pbm/PbmDecoderTests.cs
+++ b/tests/ImageSharp.Tests/Formats/Pbm/PbmDecoderTests.cs
@@ -123,6 +123,19 @@ public class PbmDecoderTests
             appendPixelTypeToFileName: false);
     }
 
+    [Theory]
+    [InlineData("P2")]
+    [InlineData("P3")]
+    [InlineData("P5")]
+    [InlineData("P6")]
+    public void Decode_MaxPixelValueZero_ThrowsInvalidImageContentException(string magic)
+    {
+        byte[] bytes = Encoding.ASCII.GetBytes($"{magic} 1 1 0\n0");
+        using MemoryStream stream = new(bytes);
+
+        Assert.Throws<InvalidImageContentException>(() => Image.Load<Rgba32>(stream));
+    }
+
     [Fact]
     public void PlainText_PrematureEof()
     {