Merge pull request #2754 from SixLabors/backport-v3/gif-lzw

v3 - Backport. Handle out of bounds Gif LZW max code

Author: JimBobSquarePants

src/ImageSharp/Formats/Gif/LzwDecoder.cs

@@ -19,6 +19,11 @@ internal sealed class LzwDecoder : IDisposable
     /// </summary>
     private const int MaxStackSize = 4096;
 
+    /// <summary>
+    /// The maximum bits for a lzw code.
+    /// </summary>
+    private const int MaximumLzwBits = 12;
+
     /// <summary>
     /// The null code.
     /// </summary>
@@ -73,12 +78,12 @@ public void DecodePixels(int minCodeSize, Buffer2D<byte> pixels)
         // It is possible to specify a larger LZW minimum code size than the palette length in bits
         // which may leave a gap in the codes where no colors are assigned.
         // http://www.matthewflickinger.com/lab/whatsinagif/lzw_image_data.asp#lzw_compression
-        if (minCodeSize < 2 || clearCode > MaxStackSize)
+        if (minCodeSize < 2 || minCodeSize > MaximumLzwBits || clearCode > MaxStackSize)
         {
             // Don't attempt to decode the frame indices.
             // Theoretically we could determine a min code size from the length of the provided
             // color palette but we won't bother since the image is most likely corrupted.
-            GifThrowHelper.ThrowInvalidImageContentException("Gif Image does not contain a valid LZW minimum code.");
+            return;
         }
 
         // The resulting index table length.
@@ -245,12 +250,12 @@ public void SkipIndices(int minCodeSize, int length)
         // It is possible to specify a larger LZW minimum code size than the palette length in bits
         // which may leave a gap in the codes where no colors are assigned.
         // http://www.matthewflickinger.com/lab/whatsinagif/lzw_image_data.asp#lzw_compression
-        if (minCodeSize < 2 || clearCode > MaxStackSize)
+        if (minCodeSize < 2 || minCodeSize > MaximumLzwBits || clearCode > MaxStackSize)
         {
             // Don't attempt to decode the frame indices.
             // Theoretically we could determine a min code size from the length of the provided
             // color palette but we won't bother since the image is most likely corrupted.
-            GifThrowHelper.ThrowInvalidImageContentException("Gif Image does not contain a valid LZW minimum code.");
+            return;
         }
 
         int codeSize = minCodeSize + 1;

tests/ImageSharp.Tests/Formats/Gif/GifDecoderTests.cs

@@ -296,15 +296,9 @@ public void Issue2012EmptyXmp<TPixel>(TestImageProvider<TPixel> provider)
     public void Issue2012BadMinCode<TPixel>(TestImageProvider<TPixel> provider)
         where TPixel : unmanaged, IPixel<TPixel>
     {
-        Exception ex = Record.Exception(
-            () =>
-            {
-                using Image<TPixel> image = provider.GetImage();
-                image.DebugSave(provider);
-            });
-
-        Assert.NotNull(ex);
-        Assert.Contains("Gif Image does not contain a valid LZW minimum code.", ex.Message);
+        using Image<TPixel> image = provider.GetImage();
+        image.DebugSave(provider);
+        image.CompareToReferenceOutput(provider);
     }
 
     // https://bugzilla.mozilla.org/show_bug.cgi?id=55918
@@ -318,4 +312,15 @@ public void IssueDeferredClearCode<TPixel>(TestImageProvider<TPixel> provider)
         image.DebugSave(provider);
         image.CompareFirstFrameToReferenceOutput(ImageComparer.Exact, provider);
     }
+
+    // https://github.com/SixLabors/ImageSharp/issues/2743
+    [Theory]
+    [WithFile(TestImages.Gif.Issues.BadMaxLzwBits, PixelTypes.Rgba32)]
+    public void IssueTooLargeLzwBits<TPixel>(TestImageProvider<TPixel> provider)
+        where TPixel : unmanaged, IPixel<TPixel>
+    {
+        using Image<TPixel> image = provider.GetImage();
+        image.DebugSaveMultiFrame(provider);
+        image.CompareToReferenceOutputMultiFrame(provider, ImageComparer.Exact);
+    }
 }

tests/ImageSharp.Tests/Formats/Gif/GifMetadataTests.cs

@@ -214,4 +214,24 @@ public void Identify_Frames(
         Assert.Equal(frameDelay, gifFrameMetadata.FrameDelay);
         Assert.Equal(disposalMethod, gifFrameMetadata.DisposalMethod);
     }
+
+    [Theory]
+    [InlineData(TestImages.Gif.Issues.BadMaxLzwBits, 8)]
+    [InlineData(TestImages.Gif.Issues.Issue2012BadMinCode, 1)]
+    public void Identify_Frames_Bad_Lzw(string imagePath, int framesCount)
+    {
+        TestFile testFile = TestFile.Create(imagePath);
+        using MemoryStream stream = new(testFile.Bytes, false);
+
+        ImageInfo imageInfo = Image.Identify(stream);
+
+        Assert.NotNull(imageInfo);
+        GifMetadata gifMetadata = imageInfo.Metadata.GetGifMetadata();
+        Assert.NotNull(gifMetadata);
+
+        Assert.Equal(framesCount, imageInfo.FrameMetadataCollection.Count);
+        GifFrameMetadata gifFrameMetadata = imageInfo.FrameMetadataCollection[imageInfo.FrameMetadataCollection.Count - 1].GetGifMetadata();
+
+        Assert.NotNull(gifFrameMetadata);
+    }
 }

tests/ImageSharp.Tests/TestImages.cs

@@ -515,6 +515,7 @@ public static class Issues
             public const string BadAppExtLength = "Gif/issues/issue405_badappextlength252.gif";
             public const string BadAppExtLength_2 = "Gif/issues/issue405_badappextlength252-2.gif";
             public const string BadDescriptorWidth = "Gif/issues/issue403_baddescriptorwidth.gif";
+            public const string BadMaxLzwBits = "Gif/issues/issue_2743.gif";
             public const string DeferredClearCode = "Gif/issues/bugzilla-55918.gif";
             public const string Issue1505 = "Gif/issues/issue1505_argumentoutofrange.png";
             public const string Issue1530 = "Gif/issues/issue1530.gif";