Add check in ReadCompressedTextChunk() for enough data after keyword end

brianpopow · brianpopow · commit ba01f9c12580 · 2026-03-10T16:36:55.000+01:00
diff --git a/src/ImageSharp/Formats/Png/PngDecoderCore.cs b/src/ImageSharp/Formats/Png/PngDecoderCore.cs
@@ -1402,26 +1402,31 @@ private void ReadCompressedTextChunk(ImageMetadata baseMetadata, PngMetadata met
             return;
         }
 
-        int zeroIndex = data.IndexOf((byte)0);
-        if (zeroIndex is < PngConstants.MinTextKeywordLength or > PngConstants.MaxTextKeywordLength)
+        int keywordEnd = data.IndexOf((byte)0);
+        if (keywordEnd is < PngConstants.MinTextKeywordLength or > PngConstants.MaxTextKeywordLength)
         {
             return;
         }
 
-        byte compressionMethod = data[zeroIndex + 1];
+        if (keywordEnd < 0 || keywordEnd + 2 > data.Length)
+        {
+            return; // Not enough data for keyword + null + compression method.
+        }
+
+        byte compressionMethod = data[keywordEnd + 1];
         if (compressionMethod != 0)
         {
             // Only compression method 0 is supported (zlib datastream with deflate compression).
             return;
         }
 
-        ReadOnlySpan<byte> keywordBytes = data[..zeroIndex];
+        ReadOnlySpan<byte> keywordBytes = data[..keywordEnd];
         if (!TryReadTextKeyword(keywordBytes, out string name))
         {
             return;
         }
 
-        ReadOnlySpan<byte> compressedData = data[(zeroIndex + 2)..];
+        ReadOnlySpan<byte> compressedData = data[(keywordEnd + 2)..];
 
         if (this.TryDecompressTextData(compressedData, PngConstants.Encoding, out string? uncompressed)
             && !TryReadTextChunkMetadata(baseMetadata, name, uncompressed))

Original file line number	Diff line number	Diff line change
`@@ -1402,26 +1402,31 @@ private void ReadCompressedTextChunk(ImageMetadata baseMetadata, PngMetadata met`
`1402`	`1402`	`return;`
`1403`	`1403`	`}`
`1404`	`1404`
`1405`		`- int zeroIndex = data.IndexOf((byte)0);`
`1406`		`- if (zeroIndex is < PngConstants.MinTextKeywordLength or > PngConstants.MaxTextKeywordLength)`
	`1405`	`+ int keywordEnd = data.IndexOf((byte)0);`
	`1406`	`+ if (keywordEnd is < PngConstants.MinTextKeywordLength or > PngConstants.MaxTextKeywordLength)`
`1407`	`1407`	`{`
`1408`	`1408`	`return;`
`1409`	`1409`	`}`
`1410`	`1410`
`1411`		`- byte compressionMethod = data[zeroIndex + 1];`
	`1411`	`+ if (keywordEnd < 0 \|\| keywordEnd + 2 > data.Length)`
	`1412`	`+ {`
	`1413`	`+ return; // Not enough data for keyword + null + compression method.`
	`1414`	`+ }`
	`1415`	`+`
	`1416`	`+ byte compressionMethod = data[keywordEnd + 1];`
`1412`	`1417`	`if (compressionMethod != 0)`
`1413`	`1418`	`{`
`1414`	`1419`	`// Only compression method 0 is supported (zlib datastream with deflate compression).`
`1415`	`1420`	`return;`
`1416`	`1421`	`}`
`1417`	`1422`
`1418`		`- ReadOnlySpan<byte> keywordBytes = data[..zeroIndex];`
	`1423`	`+ ReadOnlySpan<byte> keywordBytes = data[..keywordEnd];`
`1419`	`1424`	`if (!TryReadTextKeyword(keywordBytes, out string name))`
`1420`	`1425`	`{`
`1421`	`1426`	`return;`
`1422`	`1427`	`}`
`1423`	`1428`
`1424`		`- ReadOnlySpan<byte> compressedData = data[(zeroIndex + 2)..];`
	`1429`	`+ ReadOnlySpan<byte> compressedData = data[(keywordEnd + 2)..];`
`1425`	`1430`
`1426`	`1431`	`if (this.TryDecompressTextData(compressedData, PngConstants.Encoding, out string? uncompressed)`
`1427`	`1432`	`&& !TryReadTextChunkMetadata(baseMetadata, name, uncompressed))`