PNG: Verify CRC of IDAT chunk is correct

[brianpopow]

Prerequisites

• I have written a descriptive pull-request title
• I have verified that there are no overlapping pull-requests open
• I have verified that I am following the existing coding patterns and practice as demonstrated in the repository. These follow strict Stylecop rules 👮.
• I have provided test coverage for my change (where applicable)

Description

This PR changes the PNG decoder to verify that the CRC of IDAT chunk is correct.

[codecov]

Codecov Report

Merging #1898 (112585c) into master (5e060ba) will decrease coverage by 0%.
The diff coverage is 100%.

@@          Coverage Diff           @@
##           master   #1898   +/-   ##
======================================
- Coverage      87%     87%   -1%     
======================================
  Files         960     960           
  Lines       50972   50975    +3     
  Branches     6310    6311    +1     
======================================
+ Hits        44731   44733    +2     
  Misses       5202    5202           
- Partials     1039    1040    +1     

Flag	Coverage Δ
unittests	87% <100%> (-1%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files	Coverage Δ
src/ImageSharp/Formats/Png/PngDecoderCore.cs	90% <100%> (-1%)	⬇️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 5e060ba...112585c. Read the comment docs.

[antonfirsov]

Why do we need to read the IDAT chunk twice? Upon rewinding the stream, this means creating & filling PngChunk.Data twice. Can't we avoid this?

[brianpopow]

I dont see how we can avoid reading the stream twice. We need to read the stream completely once to be able to calculate the CRC. Then we are sure the byte stream is not corrupted and can start decoding it in ZlibInflateStream. Otherwise we would need to introduce PNG specific logic into ZlibInflateStream, which i dont think would be good.
Also the compressed stream can span over multiple IDAT chunks, which would make it even more complicated.

Note also the PngChunk.Data is not filled twice, just once. Before this PR the PngChunk.Data was left empty.
So we have now with this PR an additional allocation of the size of IDAT chunk.

[JimBobSquarePants]

Does libpng check it? I know it’s optional but haven’t had the chance to dig through the code

[brianpopow]

yes, libpng does check it

[brianpopow]

One way to possible avoid a large allocation here for the IDAT chunk just to calculate the CRC could be to read the IDAT data in smaller portions from the stream (lets say 8192 bytes) and calculate the CRC on those smaller chunk's of data.

Is it worth introducing such special handling for calculating the CRC of IDAT?

[antonfirsov]

ZlibInflateStream operates over BufferedReadStream, so we can consider making CRC32 calculation as an optional part of BufferedReadStream buffer fills. Although it's definitely not a 2.0 optimization, I would open a separate issue to investigate this.

read the IDAT data in smaller portions from the stream (lets say 8192 bytes) and calculate the CRC on those smaller chunk's of data.

If my understanding is correct, PNG-s with single very large IDAT chunks are rare, so it's probably not worth it, I would better investigate the BufferedReadStream approach, since it also avoids stream rewinding.

[antonfirsov]

Looks good for 2.0, but might worth to investigate on-the-fly CRC32 calculation in the future.