From 1d997821ed5e8dd26e4ba7f575cea9d212cb1423 Mon Sep 17 00:00:00 2001 From: James Jackson-South Date: Thu, 21 Mar 2019 08:48:55 -0700 Subject: [PATCH] Bounds check. Fix #849 --- .../Formats/Png/Zlib/ZlibInflateStream.cs | 9 ++++++++- .../Formats/Png/PngDecoderTests.cs | 3 ++- tests/ImageSharp.Tests/TestImages.cs | 1 + tests/Images/Input/Png/zlib-overflow.png | Bin 0 -> 10725 bytes 4 files changed, 11 insertions(+), 2 deletions(-) create mode 100644 tests/Images/Input/Png/zlib-overflow.png diff --git a/src/ImageSharp/Formats/Png/Zlib/ZlibInflateStream.cs b/src/ImageSharp/Formats/Png/Zlib/ZlibInflateStream.cs index 583175b566..71141a8939 100644 --- a/src/ImageSharp/Formats/Png/Zlib/ZlibInflateStream.cs +++ b/src/ImageSharp/Formats/Png/Zlib/ZlibInflateStream.cs @@ -126,8 +126,9 @@ public override int Read(byte[] buffer, int offset, int count) int bytesToRead = Math.Min(count, this.currentDataRemaining); this.currentDataRemaining -= bytesToRead; int bytesRead = this.innerStream.Read(buffer, offset, bytesToRead); + long length = this.innerStream.Length; - // keep reading data until we've reached the end of the stream or filled the buffer + // Keep reading data until we've reached the end of the stream or filled the buffer while (this.currentDataRemaining == 0 && bytesRead < count) { this.currentDataRemaining = this.getData(); @@ -138,6 +139,12 @@ public override int Read(byte[] buffer, int offset, int count) } offset += bytesRead; + + if (offset >= length) + { + return bytesRead; + } + bytesToRead = Math.Min(count - bytesRead, this.currentDataRemaining); this.currentDataRemaining -= bytesToRead; bytesRead += this.innerStream.Read(buffer, offset, bytesToRead); diff --git a/tests/ImageSharp.Tests/Formats/Png/PngDecoderTests.cs b/tests/ImageSharp.Tests/Formats/Png/PngDecoderTests.cs index eca7a2543a..fe406c9924 100644 --- a/tests/ImageSharp.Tests/Formats/Png/PngDecoderTests.cs +++ b/tests/ImageSharp.Tests/Formats/Png/PngDecoderTests.cs @@ -41,7 +41,8 @@ public partial class PngDecoderTests TestImages.Png.Rgb24BppTrans, TestImages.Png.GrayAlpha8Bit, - TestImages.Png.Gray1BitTrans + TestImages.Png.Gray1BitTrans, + TestImages.Png.Bad.ZlibOverflow }; public static readonly string[] TestImages48Bpp = diff --git a/tests/ImageSharp.Tests/TestImages.cs b/tests/ImageSharp.Tests/TestImages.cs index 3f12fab125..9099696247 100644 --- a/tests/ImageSharp.Tests/TestImages.cs +++ b/tests/ImageSharp.Tests/TestImages.cs @@ -85,6 +85,7 @@ public static class Bad public const string ChunkLength1 = "Png/chunklength1.png"; public const string ChunkLength2 = "Png/chunklength2.png"; public const string CorruptedChunk = "Png/big-corrupted-chunk.png"; + public const string ZlibOverflow = "Png/zlib-overflow.png"; } public static readonly string[] All = diff --git a/tests/Images/Input/Png/zlib-overflow.png b/tests/Images/Input/Png/zlib-overflow.png new file mode 100644 index 0000000000000000000000000000000000000000..979e94274c60b2e886614cdadc0b0d917ceb3a3c GIT binary patch literal 10725 zcmVz^9GRH}9L;wH~07*naRCt_)ng>%GS=O+%lWa^D$}P2Wj-WsiIcJk| z&KPWCW1Qmz=QIvuvs=d`D(>c4v3LdaItI8da-rKYh+U z_uMXF2+}l)a~4gN3s96|gTS&z z_zn&z#+r<=B4O-Nj2-1W2kL%13g3prbsz_z{8&8qASz2GE3)^1A@?3HcC_F4%?#RSjBlfnats~13%i3p4`^uWQ?*QRDI}!m)r4Sf=ge#%&!ckE) zS(;9fLFm%H00$X+N+ekxfT1e$*dC=I#_=p+xaOhi9I%4)qse0Mybvs1YlpZwAPQTO zlr42}(fXC2%DwvF+?i|Hl^2upkNKsSxrfC2xCY3ri5v&2(4ORPh1FV-1Bv{&f3t$) zy%2#FRhmPUW$cNO1n~rJ!~wF8Jww7)`NrlZ9=%j`?)JHp*G?Y3ke^$blvVl| z)6n=_D<_IQnL%WSAp8iTIF%$x`~Qkr9wfMFN`=}ZV$U+3rjV;jq|0LL5fNZVBr$}d z&`6h)XLB2yP7DlP?dvV?>?msQjscpx{2JT6-}WST4rE;ZDLOHYC3C^yNSJSJX^vze zjuVTBQ{dtjjOOl~ z*1oik!OV9<*`0mqo!xoBvznAEmwm#+u`Ct_Pb4BV8W!~jJ(zpcKjJ3M1AZ5S2T7D= z(p?I_HZ)z2O>{+hngftV#6WPPsqz7^qPrBsBm^<4D3!=f zAhQFUXkMtu)h{aTW$WE1jo0tJENd$)3Zv(#v){P6zN&Q96x?xEe?Vqkl_&}=T)+$dUI$!%{7o1V(5 zJQl|0K-?Gv)ER=ta>-`86ta{>9Ops?48(~cP(vI@94CYy9PLy8_F2vAh}OQ01^rRo zdgZ3+m|?rhuyY77?UWj~OH9TBU}L3hZZd0Os${f3v%BMBOeD?P!JbG(a139BA3~9& zP-SWVNX0M3gQhH`C@hK;MFCBojprw0=^o!WN>m=+HLqURH$LqhXx-X5yJ0?UFjbg$ zj&7T)%%eF*+gL9g9Z4A3s!=ftA5rY}m@%6WcKyGpwDM z87o+v|7EEEs@Bh!j6y5&hnxvQ_&9U%h znZa1B6qd;iP(+D;anyoUXngeeQuJUn!AcjuRt#q(yvHN)0zVAFgP*f8G)_Kx8ufL+6R;QiJq;Nw;W@b~R2 ze=}WLTWE-j;FDPjdlC<-KUI>9@DAFM0~idMRvSJ(^KxRgcKhQs!_E%|<88obzGX1o zG?=b$8Lxdgu%w3NU(KE5q){U38w!b%- z@BW`+8%9fA0ju4e;~@57_sZJZeUs^FYEF_9#lZ^ai=#*EiS4;y_Et}b9W*J{WR?TU zzw}e=yP+RG?EbL3edV{EbDvD7O`A7AY~MGSpPF`_E$JHv#~w7d-MREbQB(7k#iiGO z`&4gSf4H@N3fSH(GV1fUS4!UN51Cf38J2#Mt0c}EnVWwBf#FZ%_}VzhwOV#_^WEv` zlP1$m({?qmZMyKkf4{x8bK3&*V)PW`#a{# zo9k!(x_kb!`OL=ZPr&ZSTK(q3s?#wlcY7j&!ILpe7A8D`JJfqhzjSA1u@YEc$^s0! zf{nS{jfL;uZ`>|BQq17eh|B;BsD~p-6&vf;(eY?wfcLB~0cwLZJUnC!@nw?&-P0iHt>r>2F%+@yYEwXcdzMm)xp7XKHmY0RRO7-0`bd)d=zpgJET{!U>6p8wK^GG8yjPUULf%#wTwL z4&}V-P4DRn@9&Ks>Wu@&N3PwworXu)fIaF(5r*zH*%;{gL5wI&wm~Bu5Qo%))WP8* z{lVVBYo`8MpR?__Zy=`;3VXI_m zHeqfeW^yQDd?0RWyec#ZL#N3pBoPUX;Y+hvl0p(I-43tWXD6?&&Temi{H{CwZF5|I zXH;){#JiRtpr2PVtu?8q)OfgdW*`;(Xz5=LMW@(<_t4;JW_s@HTWFyzc| z%=8dEo2ZqAoI^)^X-tgDBb~_)rEoHNic+B>p2`lkwdbJ>*XG7!4X-L**ZY85S4-d* z!hrFiOBE$@DoS*~T3g%h=kS<6|D3V3^l)8Y04>=3KZ$YW zB~)HE4$<1;)DaP?`udw4ZAq;y@jb0!-ETv?n*xBAHwQ z(M+W{XFyA`j~s-sNEKCOLj&0ha}}%8u``1qlf4JWd!qZgB9`ZKkF6*`#o1Q&uGWt3XQ~rlJU!LklHS&w1_J}VZ!JuZpTG7)0G)wz!tFm`^DTpg zJbak7y!>c&FyXwBL!-$_BoU4t!iew->TfSF@Wad%Ns zA3QqWSQkC;E@!ACZm>Oepe+FCX-iz5JDirGrO`3g1UbU<`7dH97pXjT_z$t!q0pIu z_=$HhAf{g`jEs>`Xc#BdlgRR+inF<@5)gyl&w=2LM*{M*y&_qTiy!HY z8|{e&W+yK`f0E2(5kSn!`Wp~?@+5C%?k5G&`J@x)508)Jt}GrgEvDW#SS%GPOofP1TuJ}}KllLRfyH6U4<~iM z&72uMvN~C|F?)D(E)!UsDlx8BUAtMr;(i5l49{>!q?rttJeXr?RAm-Llx#%~M%cKj za}`tL1)KU4pEnD3SF=AY9|pFT51aMJ?msxrV10Ff=wgRxu)H{`A_L|qMVxiO(cO{c z8>pqed|bV?auF~uml+pJ0E4c0WA(<|)CCun*v?^}jiWV-&)gF;tri$p^3A#o(?YsQ zSNLJ=(BkaH^dv_DK|rO-NbGoomqbz&A<9xbFK9p6jmfsIIFj7elA+g~HR_H5ro~(U ztjzlA7q8Cqgx@)#t^iq_4*M^R<-LtEiztr&j^ac2<4ZI1PN-JpP5s z&s)dLTlcmN_uYLIR`!^0?e|l8^oKQvbZfQmjitMWl22=;A6H90>dQZG9Nyl#^Ymd1 zi$y~af&*2{ltxj+;ol^a7XSbd07*naRA7Z;$g!x@-4l7+cB`)^7Zzo+9%QO^){BAn zrt0mj$cYTsXQLQJDI>7=RbXeoOXqLhLF|l#Gw$n+@kan+}27{}`(NZaneZ z&V|qBbF1r5A3V;+F}YYedmqUYEnV6iHv#!5s*t+}4a02+Nq4ICWV}IK|_i?k@Y`z6u&*NvO zoHb5l28qf>$P_y$cd?=3&NtTwI&#++&g`xofmr>vdGfC?u;IjKWA%>l&Tk(d2Ss_? z;J*Ef^>^ReAGq>U(ZX`;wz=A9IQ~(8 zvvK#}=H*8Z4_;cByS;5Xx1m3=vsL}xc|cYnbg`1bIz zxVgm^ld)=N`{eFQ`G++K*Ae);yY>Cf=9RV8SAD%#D^DGbhzn21h&cDd@wcsy>*{Y0 z4P4aC-`O#r-(0UY>W_gNSQ+(&AGeQ#*vP~!xzZwrr@7*|DVC~;sImdN61u8*8>+&Q zsqX51J~`W_U%m`LJ8N7l++HeszgqEr?HB;%X!2cV)3flg?ws}M>fyGWnU0cQmw(({ zJ+Zxf+`Le_yHvird<-x`30W@N)L-5)U5iZ(AkwYAwzI-me-{+xF*@5ltGldQ`O&aa z34k69@o}xlw2=K_vr<1-(AJb!{~~3uH`hX2&QxFN>RkEO@-dLvTFu{BDl@JfhT5~a zm}A~3h7Siv&dXgeM7lecqQY_#IGQ316?RIRT()a2QJe@?2Pm?WXY+L{z3VGiKn$z^ zldc2?-dQ(hv5F! z=L_{K7tDsA;?e?1j05|yw)>szBr0ZGZ{6tR>8ZI3>$(cSFkiGWldqpl*_zFOZ*47> z=w>d=jGxxcR&K7HH7{S>oIkTLQ3REJbs-a2nJZkKFIr#7TA4}PSk492zQHpRxkb#8 ztaM<-ab1i5DTcaaIMDs~5!{v9fZnm$*_nG|qt_<}($?ln*C+FUt;ziLv7Ak)nWF{k zqeWjR(2wM=j+TBQcWo?BKasmSmc2AousE2%JeIaHp1!0zY%-jQNpUAJzp}@e6Z@j9aH864ZDUv-gr5OJoV8Zgnl+kI%mv?8^kkyW&PW z4o!3a z7tvoIIZ_ur)^Kp}b>vWERDV+>(AS*M-;y}e2E(V0zBxGjI(puxBu)+ z&gRD9uz0x>4dXy#GG#6fRGA$`;u;`t9cUOHzxlHMNMqeWpsOyjyFO~LK6IopVyGn; z=x+`M`kD{EdlNm-lG4|dH2fxR@b$sbrqJp3==si|#h%cm(bTQEy#D@k0s#g`*VvNe z4xBiarofVlRLlGNEXYQdGRc7%xDP9IKwJb0%9$(WODmU~TC(2OhBdzk>8J_pd=}JO z6Vm@Ytoub!&&%M>S3y8WT~ud%^kjDyFx{3k(ik(`7&_J*0b&-n>Fka53jas}o{n*1 zaA+bK7FF1gME1x&&k$v8gQZe~)vMZOCXx zX78KCk*0V6#75qPOuhBhb%)FiBy7y&ba$T=iT*4GB@x8v%50`Om!m92L^*cUAR7v- zyfRdzO-Rdm)7I16QuyL!TJ4k2$9H{dZaY7}t9<&vqvoOKs~0gZY9jl)etLYbNQhu= zo)2ifA28LFI@J;|+ZH_2tpsMLGZq(eRlXbo>$`7>Vn?bwa>mQ<})jf=T`yy?s zF=(P8V75iO_AYp?KYC+2t)Z@1B*4H%(~9JZ$oPn;KzK*OnPrZOwHGV*6TNY4tI8egFNKnj~a+e3E#lx@S_QYm;R2H|X zblAo-VI#=dZ%bE#7~46GE={8F{lCRZ9m!leU+L|)|Ku6J!H$yAp7O@09>D8gq#)K& z7c$+K-r9IHCJZNIf8#E*zj5B9sU{i3rr!iFcKB`dhk=-3F7xi~cn<4#F(-cF?_yup zv0NZ9?qNdSYnI|DDk;Y@BCLr1`*6-SWDS|aqKgF4u>nP;>346Q1#aIy3Y1l(@Ps%# z8Q};-JapgDlGsO=JceFp%{99(wt4B^Nf&w~x~Xi~?UFe-A`5Fp3v%Mepw1<9mr_KU z>cEPI{RqZZf+NWhx<)3D=BDSIsVceg!>L=h3+~-7xpVh&YFea73(?Rw*k zcV}(>Op80P+NCuP22OQH8s~B@ojJ%vFt&8hePp#0Kbfg6{F7K%^3(jvcXVk5PgTWn z$pklRk{ZNpNd!CtwR8NM%_Ff;JAlFX8bDAh67n6HMyH?*r5IOzIJx#lAgtHAR_$_! z&tk6(+(4}MiH5{>azgE(aic0yK#Zw6#8&4rmDvPtpe1<-QYWH}f+I5#29JRgaYzCo zMk4)&$0wt7M>3g@#WJ`k!&9ZHxe?vtTR39wK(}ARL zBs<$ul-4BYeK?^tNvhU3T)3Dz*y1zO8@|!$XXpvs>{aW#UFL>!zCVSMSTrn^$aKr4 zsWM5qB+}Qc@$bOkrIHXDT#Eo9o-vtV%B(f8-fQ2 z$4B|SzUMvJmbTX8y3yyc)$6_a&TG2!plPNcIYz~$ePzS&1c>7Fe;4Das=-a_ep=#o zO6;74a$=nr?iT10sz7Z=0Gh^=(U$KR#qBw~n6suPVwlqHkoDIi8vWP=q?lW$G&bfEh>QUoHUABZ`T zBu)e$5OXBUu@nWg_Er>kJCYWFFrKR}YrOBHA1U4J_uLxLu6KK`cDR9Gv#RInbbV&|N5)as8c{cWJCYSFQ6jD?Fz%R@LX*Wbo{0YzJWi>?CN4 zID#+&<$Bo@WJHRXLX#Dggm?5jO^+ck0`19O!5(Py z^GgG@u510#oBi%S&%3(-ziJTN7 zGZcpg5h*e@&m%Q6`&n(>kGC%r9nR)Uons4b_g;VNIo~9otP{4@r@G284s@;!!o*2a0E#q*EQtmyJXIwSYj57E zZD_h)+wfyhNFazIs4to74Pq=oGG3T!$BJ{Hcw?!)g{fZkkIyW2hs}2cuXd{z+ZEG| zs@WzDh+U~-Q^svLIpafDQsSuy z#hys8#ySe|I0=Q|i4e6+0>M=xnR!><@-z<0(nfEPu1z}pl0NXtrMpHl+uy(0E{a!a-K65ttbd_7pqtss>_|`rP?d`sD z@m!QbEJ6rS;WbdD*j!(cB;>(^s`~ox!D`@b5{N-PoPFs$|4RApnR2x+Dn3TSV`26q zd|QUZh8OZ3!;ir8{n|;Inwr$v*>?6==8enc&mV<9x)ad&s`OpQ$&}TC7`zc_Nn78x2^`id7x?hS>63iFy5?weP0Ft-v8dSECZJkk4;O& zov09w^;N!W2A};bj6+#STGWA}6o;RG&>ANy z-rVz^dgEmtjbCk5Ei}p|>Se<(gsnAxV{P$g&!rJb80eF%@O+Xa4N4$gUHrQkS)I#p z&2tpQA3!9Ukd%fu_p46kJ$)GerY>i&F|?=Ff2ct*(W05_N!0bFjCK??Jc@euII;Cj zVRuVmdt>g#RPM@X1}vA0ZEhB;r=pQ3g7zDfvCfbT<9ED z`|@^MYfa0m zqdJGihc@*zHNB31(-7DBoH^ViflvdBJs$c&-_1#X^IXWTF8DWn)Nd;hJF@}iVHm6B|l#Yrcm%44joI@l3~Lo%Cx-dbSZ#rgl$V90AiM3 z$eT;s0SK=;Lhg=LLTNtiWw+GHhwUcez8O zYgOtRUFRFrv(J5|YrMu^d8~AV9xd~R9umaxECF5|$k4=CGc^u8PllNBq~XcJ?D4vn zQDblAi~XMK?|h(#*qwfxcLaY7jUa8#bha4vvwS;QEwMF2-rfJoCRtW+CZ1dky{MY5^-&SHiFNS|y2>mbMFT9q|Jof;mUdGMU zCk?$RXnm5z;Sw24Cmc&f=DQ<`M7CQdRi5w_-h;q$b`6LdpS(3N^yB<+(&AX^+CtFQ zO8CZ7;MPj;=5oZwQn+D0c4H=bYcz0ez-RNF|4O@dp)q=@HgvcqsQngrP%`o{Ot<1aF}6Bi=v;!QC9vrdZ;ufD{5{>ob^S!z z`eeF!HtfS<^xxKE|Gpmo*OjQ<*&y?{|JJbgX0Q87hZ4kQ>m(CTG*dNhvvr9}P3hB} z715p;GQ|cuJrJXcw5T#g;FTxT=8`3`SX7GeHC5IAi_5?4u9a=h=WQ&7?rz2IY(^T_ zLbp~T0sU0u>O}a)us?`_)l#d+T3h18i{RdeKBLb=mikH_UslNl-}rkHsZ5DT?jdkK z#+Fo2WmzKdjfTbzox|gzC((&AA65R{s21G@Kysm$_yYcwL){_tGrxU^=VRgr&A`(;T z#0#X#qo6*~+#%=landv*FT|1IN8ykQ4(CtI)~s$eZ>=9&Up=zDmS|j#gVcZoSsxD3 z4+ZN7!`BAF=DU2xn_c@~`uDwnGMKv1pa1;s1qB-`7Q6fSL_xQOaKqRxDGYhy-cJbs zB(~?qR%S4r)0l!_aHG@63YqBYg@BcrYrh(fzSkexUP(6S;&lVsMaaMb4_%LXwaaa~ zQ9A!dt84aNYENJ8$f&!X8RuaKRy+hH(8W})Ga`#*s^Xybl2kb)=PZCM2*Y!N$ZV1$ z;t&?idHk$$Sy#4gJo(9xZdi)7SdIB_j)tub2I;y3rrv62JG_9YmZ;t7BHcj2t+N6# zYAa(pI6M2WSPC*bge5tMO5^FW1k?o<%n%B97PB#0%@e4)J)Atq?c#u?O4$~P5RWgq5VNGzhXGo}0_d};rYTIs2%wL^cxHdU? ze0aEGWZ+PLPf=fcX>VIePkVJ=*XgnTpC8>RONv!<=wGu~GOadLq)MW2f*JCIOhqh9 znS{#YSgIVcSEEsjrsWpk0aTFgg{#to&%r|NWl%EyV2QNuwtnWQZyM~u(Sd2ASupSAO;eS{eazf-?{<|2IkS|pv51?zZQ8moMRDvK5 zOV>KkJfPjilRPLS5kMu-zd!>hWE%iarbC~GB?_EKLI;uxM|E@JM$zQSs3wi>n$FaG zL0t%=a5WWd)gi8`M5;Y1b}wMaQc3(MM@BG~rgA`BoDeRS!f_&!u>_J6$pKHn5~(DF zL8WpO6qXE+Is>rM!gh(s^kay^dCr*vWj4<>Q|OVy(d4kzmUdV6MGS)WCo!g5{uiJT zv7E|MWzi*JM2;Vb;fU^Fg^=SX4GZM;!qQ$|2L(WK@nYoJkBVjq8U<6WNf} zZW#c}^$V7CC;~B&=P{vMIZs_G@hAj0nDk^pG?C?wqiYDL0K^<{1bZhuj_e3xcnZOZ zgmXgp1XScmk&;-Lf=!BJVPJK&8;@kfq$S zJxc!p92avuivXU71-5HGB2Om@BJjL0B0Gr038wMG0E8Pv;RM1bIEKF?D-RZiN6G!1Lm|WePlVxUTUQ)H!Tr7E_Xe3R6)|BAI@WNDU(( zp?Innf#wZcSUk(so*wGJ2*Yy|XwnRpOExM?XUg)#Zsk(9BECzG&^?c<&VtJ_m6;GR zzGtyOTgLM!`7dH@k3tZGGxh*IfqMoZ(xeF0$wFnKz$F157*`&{k{tx-iX@gYm7~fO zxaA5xO9dV!dsq8cF`;`Ah;dzW0kDDvjpvpi_DYp{m54kFC9cJQvulZqTdA`qU*eo4 za*h+b#PgJ)T$d1-^S~FYT#m{DUsVDKRe1tsE>DvULt8HEQLq;bs2rB}ivKDGAAu{t z_bdfKo$q}JfXKoz-1HuB>wECsi~nHnyIgH4&#P?jr_+1G{Nv;Tfa{*i^RO(_;09w$ z{f@Xsoc4;nDDyoG=Lp?FvQ+GK2!`OQ3pgqWZvp=ww*-4fn5Z005#PO(rzz&B3fW3H z2R_MzVhCscac^wb!haXryTl)W8{8rQR)FX~_(N6ra4h(8C-Btv>NbdRp$Msq{t(-H+XY{NllLAmhyni( X(w@Bf`q(In00000NkvXXu0mjfk^tow literal 0 HcmV?d00001