image/png: fix crash when an alleged PNG has too much pixel data,

so that the zlib.Reader returns nil error.

Fixes #7762.

LGTM=r
R=r
CC=golang-codereviews
https://golang.org/cl/86750044

diff --git a/src/pkg/image/png/reader.go b/src/pkg/image/png/reader.go
index a6bf86ede6505036ee3800f1484d6fdbb9f38041..dfe2991024dce40327482a644c8a1070345c6c22 100644 (file)
--- a/src/pkg/image/png/reader.go
+++ b/src/pkg/image/png/reader.go
@@ -505,8 +505,14 @@ func (d *decoder) decode() (image.Image, error) {
        }
 
        // Check for EOF, to verify the zlib checksum.
-       n, err := r.Read(pr[:1])
-       if err != io.EOF {
+       n := 0
+       for i := 0; n == 0 && err == nil; i++ {
+               if i == 100 {
+                       return nil, io.ErrNoProgress
+               }
+               n, err = r.Read(pr[:1])
+       }
+       if err != nil && err != io.EOF {
                return nil, FormatError(err.Error())
        }
        if n != 0 || d.idatLength != 0 {