Image pane _imgshape methods crash or return wrong dimensions on malformed data #8484
Description
Description
Several _imgshape class methods in image panes lack proper validation of input data, leading to confusing errors or silently wrong results when given truncated or malformed image bytes:
| Pane | Bug | Effect |
|---|---|---|
| JPG | No check when SOF marker is not found | UnboundLocalError: cannot access local variable 'w' |
| AVIF | data.find(b"ispe") returns -1, then reads data[7:11] |
Returns garbage dimensions silently |
| PNG | struct.unpack('>LL', data[16:24]) on short data |
struct.error: unpack requires a buffer of 8 bytes |
| GIF | struct.unpack('<HH', data[6:10]) on short data |
struct.error: unpack requires a buffer of 4 bytes |
| ICO | struct.unpack('<BB', data[6:8]) on short data |
struct.error: unpack requires a buffer of 2 bytes |
Reproducer
from panel.pane import JPG, AVIF, PNG
# JPG: UnboundLocalError
JPG._imgshape(b'\xff\xd8\xff\xda' + b'\x00' * 10)
# AVIF: silently returns wrong dimensions
w, h = AVIF._imgshape(b'\x00\x00\x00\x1cftypavifall' + b'\x00' * 50)
# w and h are garbage values read from wrong offsets
# PNG: struct.error
PNG._imgshape(b'\x89PNG\r\n\x1a\n')The AVIF case is the most dangerous since it silently returns wrong dimensions instead of raising an error, potentially causing subtle layout issues.