-
Notifications
You must be signed in to change notification settings - Fork 144
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Corrupt auxillary chunks should be ignored, not treated as fatal errors #525
Comments
Good catch - thanks for filing the bug. A few thoughts that I hope are helpful:
|
APNG chunks started out as a non-standard hack, and it was long too late to fix their names when they got into the spec. APNG chunks will need special case handling. They could simply be treated as mandatory, or mandatory after decoding past the first frame (iEND). |
For reference, this is how the spec recommends handling APNG errors:
But really, the top priority should be making sure that adding support for new metadata chunks doesn't cause breaking changes for users due to previously readable PNGs now raising errors about the new chunk being corrupt. |
Agreed. Is there also value in trying to ensure that already-supported auxiliary chunks can't trigger errors? In theory we could force functions that parse auxiliary chunks (e.g. |
Existing chunks should probably also be switched. Hyrum's Law is unfortunate, but given the lax behavior of other common decoders, I think we're decades late in preventing it. |
Parsing of these chunks doesn't do anything during decoding. The decoder doesn't really need to be parsing them. The current implementation isn't even parsing them into another representation, merely checking if they're valid and then not reporting the failures. The decoder could simply save the chunks' raw data, and then the |
The PNG spec says:
Right now,
parse_chunk
instead treats any error in any known chunk as fatal and sets the decoding state toNone
.The text was updated successfully, but these errors were encountered: