Undocumented ArgumentOutOfRangeException in XmlReader created from MemoryStream

[fuzzah]

Description

If an XmlReader object is created via XmlReader.Create(stream) with a MemoryStream having certain data, then an undocumented ArgumentOutOfRangeException may be thrown.

Reproduction Steps

Create a console app:

dotnet new console -n XmlReaderReproduce
cd XmlReaderReproduce

Put the following code in the Program.cs file:

using System.Xml;

string data = "<?xml version=\"1.0\xbf\"?>";

byte[] byteArray = System.Text.Encoding.UTF8.GetBytes(data);
MemoryStream stream = new MemoryStream(byteArray);

try
{
    using (var xml = XmlReader.Create(stream))
    {
        while (xml.Read()) { }
    }
}
catch (XmlException) { }

Build and run the app. In my case:

dotnet publish --self-contained -r linux-x64 -c Release
bin/Release/net8.0/linux-x64/XmlReaderReproduce

Expected behavior

No errors or any other output, as all exceptions related to System.Xml should be caught in the try..catch block

Actual behavior

The app exits with an unhandled ArgumentOutOfRangeException, which is undocumented for the XmlReader class:

Unhandled exception. System.ArgumentOutOfRangeException: count ('-2') must be a non-negative value. (Parameter 'count')
Actual value was -2.
   at System.ArgumentOutOfRangeException.ThrowNegative[T](T value, String paramName)
   at System.Buffer.BlockCopy(Array src, Int32 srcOffset, Array dst, Int32 dstOffset, Int32 count)
   at System.Xml.XmlTextReaderImpl.ReadData()
   at System.Xml.XmlTextReaderImpl.SwitchEncoding(Encoding newEncoding)
   at System.Xml.XmlTextReaderImpl.ParseXmlDeclaration(Boolean isTextDecl)
   at System.Xml.XmlTextReaderImpl.Read()
   at Program.<Main>$(String[] args) in /root/XmlReaderReproduce/Program.cs:line 12
Aborted (core dumped)

Regression?

The error did not appear in 6.0.0-rtm.21522.10

Known Workarounds

There is no error if the XmlReader object is created with a StringReader instead:

using System.Xml;

string data = "<?xml version=\"1.0\xbf\"?>";

try
{
    using (var xml = XmlReader.Create(new StringReader(data)))
    {
        while (xml.Read()) { }
    }
}
catch (XmlException) { }

Configuration

I used the Docker image mcr.microsoft.com/dotnet/sdk:8.0.

dotnet info:

dotnet --info
.NET SDK:
 Version:           8.0.406
 Commit:            73c77e847d
 Workload version:  8.0.400-manifests.f7661779
 MSBuild version:   17.11.22+17752cebd

Runtime Environment:
 OS Name:     debian
 OS Version:  12
 OS Platform: Linux
 RID:         linux-x64
 Base Path:   /usr/share/dotnet/sdk/8.0.406/

.NET workloads installed:
Configured to use loose manifests when installing new manifests.
There are no installed workloads to display.

Host:
  Version:      8.0.13
  Architecture: x64
  Commit:       eba546b0f0

.NET SDKs installed:
  8.0.406 [/usr/share/dotnet/sdk]

.NET runtimes installed:
  Microsoft.AspNetCore.App 8.0.13 [/usr/share/dotnet/shared/Microsoft.AspNetCore.App]
  Microsoft.NETCore.App 8.0.13 [/usr/share/dotnet/shared/Microsoft.NETCore.App]

Other information

Found by Linux Verification Center (linuxtesting.org) with AFL++ and SharpFuzz.
Reporter: Valery Korolyov (v.korolyov@gardatech.ru)
Organization: Garda Technologies (info@gardatech.ru)

[dotnet-policy-service]

Tagging subscribers to this area: @dotnet/area-system-xml
See info in area-owners.md if you want to be subscribed.