Merge pull request #2719 from SixLabors/backport/v2-check-palette-indices

JimBobSquarePants · web-flow · commit a78ce27a2b7d · 2024-04-09T18:22:26.000+10:00
V2 - Limit Read Palette Indices
diff --git a/src/ImageSharp/Formats/Png/PngScanlineProcessor.cs b/src/ImageSharp/Formats/Png/PngScanlineProcessor.cs
@@ -250,6 +250,7 @@ public static void ProcessPaletteScanline<TPixel>(
             ref TPixel rowSpanRef = ref MemoryMarshal.GetReference(rowSpan);
             ReadOnlySpan<Rgb24> palettePixels = MemoryMarshal.Cast<byte, Rgb24>(palette);
             ref Rgb24 palettePixelsRef = ref MemoryMarshal.GetReference(palettePixels);
+            int maxIndex = palettePixels.Length - 1;
 
             if (paletteAlpha?.Length > 0)
             {
@@ -260,7 +261,7 @@ public static void ProcessPaletteScanline<TPixel>(
 
                 for (int x = 0; x < header.Width; x++)
                 {
-                    int index = Unsafe.Add(ref scanlineSpanRef, x);
+                    int index = Numerics.Clamp(Unsafe.Add(ref scanlineSpanRef, x), 0, maxIndex);
                     rgba.Rgb = Unsafe.Add(ref palettePixelsRef, index);
                     rgba.A = paletteAlpha.Length > index ? Unsafe.Add(ref paletteAlphaRef, index) : byte.MaxValue;
 
@@ -272,8 +273,8 @@ public static void ProcessPaletteScanline<TPixel>(
             {
                 for (int x = 0; x < header.Width; x++)
                 {
-                    int index = Unsafe.Add(ref scanlineSpanRef, x);
-                    Rgb24 rgb = Unsafe.Add(ref palettePixelsRef, index);
+                    uint index = Unsafe.Add(ref scanlineSpanRef, x);
+                    Rgb24 rgb = Unsafe.Add(ref palettePixelsRef, (int)Math.Min(index, maxIndex));
 
                     pixel.FromRgb24(rgb);
                     Unsafe.Add(ref rowSpanRef, x) = pixel;
diff --git a/tests/ImageSharp.Tests/Formats/Png/PngDecoderTests.cs b/tests/ImageSharp.Tests/Formats/Png/PngDecoderTests.cs
@@ -526,5 +526,13 @@ static void RunTest(string providerDump, string nonContiguousBuffersStr)
                     "Disco")
                 .Dispose();
         }
+
+        [Theory]
+        [InlineData(TestImages.Png.Bad.Issue2714BadPalette)]
+        public void Decode_BadPalette(string file)
+        {
+            string path = Path.GetFullPath(Path.Combine(TestEnvironment.InputImagesDirectoryFullPath, file));
+            using Image image = Image.Load(path);
+        }
     }
 }
diff --git a/tests/ImageSharp.Tests/TestImages.cs b/tests/ImageSharp.Tests/TestImages.cs
@@ -156,6 +156,8 @@ public static class Bad
                 // Invalid color type.
                 public const string ColorTypeOne = "Png/xc1n0g08.png";
                 public const string ColorTypeNine = "Png/xc9n2c08.png";
+
+                public const string Issue2714BadPalette = "Png/issues/Issue_2714.png";
             }
         }
 
diff --git a/tests/Images/Input/Png/issues/Issue_2714.png b/tests/Images/Input/Png/issues/Issue_2714.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:9a4b6efc3090dbd70ae9efe97ea817464845263536beea4e80fd7c884dee6c5a
+size 128

Original file line number	Diff line number	Diff line change
`@@ -250,6 +250,7 @@ public static void ProcessPaletteScanline<TPixel>(`
`250`	`250`	`ref TPixel rowSpanRef = ref MemoryMarshal.GetReference(rowSpan);`
`251`	`251`	`ReadOnlySpan<Rgb24> palettePixels = MemoryMarshal.Cast<byte, Rgb24>(palette);`
`252`	`252`	`ref Rgb24 palettePixelsRef = ref MemoryMarshal.GetReference(palettePixels);`
	`253`	`+ int maxIndex = palettePixels.Length - 1;`
`253`	`254`
`254`	`255`	`if (paletteAlpha?.Length > 0)`
`255`	`256`	`{`
`@@ -260,7 +261,7 @@ public static void ProcessPaletteScanline<TPixel>(`
`260`	`261`
`261`	`262`	`for (int x = 0; x < header.Width; x++)`
`262`	`263`	`{`
`263`		`- int index = Unsafe.Add(ref scanlineSpanRef, x);`
	`264`	`+ int index = Numerics.Clamp(Unsafe.Add(ref scanlineSpanRef, x), 0, maxIndex);`
`264`	`265`	`rgba.Rgb = Unsafe.Add(ref palettePixelsRef, index);`
`265`	`266`	`rgba.A = paletteAlpha.Length > index ? Unsafe.Add(ref paletteAlphaRef, index) : byte.MaxValue;`
`266`	`267`
`@@ -272,8 +273,8 @@ public static void ProcessPaletteScanline<TPixel>(`
`272`	`273`	`{`
`273`	`274`	`for (int x = 0; x < header.Width; x++)`
`274`	`275`	`{`
`275`		`- int index = Unsafe.Add(ref scanlineSpanRef, x);`
`276`		`- Rgb24 rgb = Unsafe.Add(ref palettePixelsRef, index);`
	`276`	`+ uint index = Unsafe.Add(ref scanlineSpanRef, x);`
	`277`	`+ Rgb24 rgb = Unsafe.Add(ref palettePixelsRef, (int)Math.Min(index, maxIndex));`
`277`	`278`
`278`	`279`	`pixel.FromRgb24(rgb);`
`279`	`280`	`Unsafe.Add(ref rowSpanRef, x) = pixel;`
Original file line number	Diff line number	Diff line change
`@@ -526,5 +526,13 @@ static void RunTest(string providerDump, string nonContiguousBuffersStr)`
`526`	`526`	`"Disco")`
`527`	`527`	`.Dispose();`
`528`	`528`	`}`
	`529`	`+`
	`530`	`+ [Theory]`
	`531`	`+ [InlineData(TestImages.Png.Bad.Issue2714BadPalette)]`
	`532`	`+ public void Decode_BadPalette(string file)`
	`533`	`+ {`
	`534`	`+ string path = Path.GetFullPath(Path.Combine(TestEnvironment.InputImagesDirectoryFullPath, file));`
	`535`	`+ using Image image = Image.Load(path);`
	`536`	`+ }`
`529`	`537`	`}`
`530`	`538`	`}`
Original file line number	Diff line number	Diff line change
`@@ -156,6 +156,8 @@ public static class Bad`
`156`	`156`	`// Invalid color type.`
`157`	`157`	`public const string ColorTypeOne = "Png/xc1n0g08.png";`
`158`	`158`	`public const string ColorTypeNine = "Png/xc9n2c08.png";`
	`159`	`+`
	`160`	`+ public const string Issue2714BadPalette = "Png/issues/Issue_2714.png";`
`159`	`161`	`}`
`160`	`162`	`}`
`161`	`163`