From d355fc0e323cce4b95aa43da64b76d7d8abb8b37 Mon Sep 17 00:00:00 2001 From: Brian Popow Date: Wed, 11 Mar 2026 16:26:48 +0100 Subject: [PATCH 1/3] Throw Exception when alpha.Length > colorTable.Length in tRNS chunk --- src/ImageSharp/Formats/Png/PngDecoderCore.cs | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/ImageSharp/Formats/Png/PngDecoderCore.cs b/src/ImageSharp/Formats/Png/PngDecoderCore.cs index bca682d77a..0a7a5d359b 100644 --- a/src/ImageSharp/Formats/Png/PngDecoderCore.cs +++ b/src/ImageSharp/Formats/Png/PngDecoderCore.cs @@ -1253,6 +1253,12 @@ private static void AssignColorPalette(ReadOnlySpan palette, ReadOnlySpan< ReadOnlySpan rgbTable = MemoryMarshal.Cast(palette); Color.FromPixel(rgbTable, colorTable); + if (alpha.Length > colorTable.Length) + { + throw new InvalidImageContentException( + "The tRNS chunk contains more alpha values than there are palette entries."); + } + if (alpha.Length > 0) { // The alpha chunk may contain as many transparency entries as there are palette entries From 9c9b6124f317c85aef6424b77a43722ffc718168 Mon Sep 17 00:00:00 2001 From: Brian Popow Date: Wed, 11 Mar 2026 16:53:13 +0100 Subject: [PATCH 2/3] Add test case for alpha.Length > colorTable.Length --- .../Formats/Png/PngDecoderTests.Chunks.cs | 25 +++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/tests/ImageSharp.Tests/Formats/Png/PngDecoderTests.Chunks.cs b/tests/ImageSharp.Tests/Formats/Png/PngDecoderTests.Chunks.cs index 823009b68d..a53bd1dd5c 100644 --- a/tests/ImageSharp.Tests/Formats/Png/PngDecoderTests.Chunks.cs +++ b/tests/ImageSharp.Tests/Formats/Png/PngDecoderTests.Chunks.cs @@ -161,6 +161,31 @@ public void Decode_InternationalText_WithTruncatedDataAfterLanguageTag_DoesNotTh using Image image = Image.Load(stream); } + [Fact] + public void Decode_tRnsChunk_WithAlphaLengthGreaterColorTableLength_ExceptionIsThrown() + { + byte[] payload = [137, 80, 78, 71, 13, 10, 26, 10, // PNG signature + 0, 0, 0, 13, // chunk length 13 bytes + 73, 72, 68, 82, // chunk type IHDR + 0, 0, 0, 1, 0, 0, 0, 1, 8, 3, 0, 0, 0, // data + 40, 203, 52, 187, // crc + 0, 0, 0, 6, // chunk length 6 bytes + 80, 76, 84, 69, // chunk type palettte + 255, 0, 0, 0, 255, 0, // data + 210, 135, 239, 113, // crc + 0, 0, 0, 18, // chunk length + 116, 82, 78, 83, // chunk type tRns + 48, 48, 48, 48, 48, 48, 48, 48, 48, 48, 48, 48, 48, 48, 48, 48, 48, 48, 48, 48, 48, 48, // data + 0, 0, 0, 10, // chunk length + 73, 68, 65, 84, // chunk type data + 120, 156, 99, 96, 0, 0, 0, 2, 0, 1, 72, 175, 164, 113]; // alpha.Length > colorTable.Length + + using MemoryStream stream = new(payload); + InvalidImageContentException exception = Assert.Throws(() => Image.Load(stream)); + + Assert.Equal("The tRNS chunk contains more alpha values than there are palette entries.", exception.Message); + } + private static string GetChunkTypeName(uint value) { byte[] data = new byte[4]; From c512b142f93f675fcbbdcb32efd5635b1c67a842 Mon Sep 17 00:00:00 2001 From: Brian Popow Date: Thu, 12 Mar 2026 10:56:20 +0100 Subject: [PATCH 3/3] If alpha length is greater then colorTable, slice length to colorTable length --- src/ImageSharp/Formats/Png/PngDecoderCore.cs | 4 ++-- .../ImageSharp.Tests/Formats/Png/PngDecoderTests.Chunks.cs | 6 ++---- 2 files changed, 4 insertions(+), 6 deletions(-) diff --git a/src/ImageSharp/Formats/Png/PngDecoderCore.cs b/src/ImageSharp/Formats/Png/PngDecoderCore.cs index 0a7a5d359b..8962182679 100644 --- a/src/ImageSharp/Formats/Png/PngDecoderCore.cs +++ b/src/ImageSharp/Formats/Png/PngDecoderCore.cs @@ -1253,10 +1253,10 @@ private static void AssignColorPalette(ReadOnlySpan palette, ReadOnlySpan< ReadOnlySpan rgbTable = MemoryMarshal.Cast(palette); Color.FromPixel(rgbTable, colorTable); + // The tRNS chunk must not contain more alpha values than there are palette entries. if (alpha.Length > colorTable.Length) { - throw new InvalidImageContentException( - "The tRNS chunk contains more alpha values than there are palette entries."); + alpha = alpha.Slice(0, colorTable.Length); } if (alpha.Length > 0) diff --git a/tests/ImageSharp.Tests/Formats/Png/PngDecoderTests.Chunks.cs b/tests/ImageSharp.Tests/Formats/Png/PngDecoderTests.Chunks.cs index a53bd1dd5c..03dc040186 100644 --- a/tests/ImageSharp.Tests/Formats/Png/PngDecoderTests.Chunks.cs +++ b/tests/ImageSharp.Tests/Formats/Png/PngDecoderTests.Chunks.cs @@ -162,7 +162,7 @@ public void Decode_InternationalText_WithTruncatedDataAfterLanguageTag_DoesNotTh } [Fact] - public void Decode_tRnsChunk_WithAlphaLengthGreaterColorTableLength_ExceptionIsThrown() + public void Decode_tRnsChunk_WithAlphaLengthGreaterColorTableLength_ShouldNotThrowException() { byte[] payload = [137, 80, 78, 71, 13, 10, 26, 10, // PNG signature 0, 0, 0, 13, // chunk length 13 bytes @@ -181,9 +181,7 @@ public void Decode_tRnsChunk_WithAlphaLengthGreaterColorTableLength_ExceptionIsT 120, 156, 99, 96, 0, 0, 0, 2, 0, 1, 72, 175, 164, 113]; // alpha.Length > colorTable.Length using MemoryStream stream = new(payload); - InvalidImageContentException exception = Assert.Throws(() => Image.Load(stream)); - - Assert.Equal("The tRNS chunk contains more alpha values than there are palette entries.", exception.Message); + using Image image = Image.Load(stream); } private static string GetChunkTypeName(uint value)