From 40a09993036618b756c4b0c050614b1438ae7d84 Mon Sep 17 00:00:00 2001
From: Andrew Murray <radarhere@users.noreply.github.com>
Date: Mon, 11 Jul 2022 20:02:41 +1000
Subject: [PATCH] Raise ValueError if PNG sRGB chunk is truncated

---
 Tests/test_file_png.py    | 4 +++-
 src/PIL/PngImagePlugin.py | 4 ++++
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/Tests/test_file_png.py b/Tests/test_file_png.py
index 2a40ab7be9d..1af0223eb7d 100644
--- a/Tests/test_file_png.py
+++ b/Tests/test_file_png.py
@@ -635,7 +635,9 @@ def test_padded_idat(self):
 
             assert_image_equal_tofile(im, "Tests/images/bw_gradient.png")
 
-    @pytest.mark.parametrize("cid", (b"IHDR", b"pHYs", b"acTL", b"fcTL", b"fdAT"))
+    @pytest.mark.parametrize(
+        "cid", (b"IHDR", b"sRGB", b"pHYs", b"acTL", b"fcTL", b"fdAT")
+    )
     def test_truncated_chunks(self, cid):
         fp = BytesIO()
         with PngImagePlugin.PngStream(fp) as png:
diff --git a/src/PIL/PngImagePlugin.py b/src/PIL/PngImagePlugin.py
index c0b3647884e..442c65e6f1b 100644
--- a/src/PIL/PngImagePlugin.py
+++ b/src/PIL/PngImagePlugin.py
@@ -509,6 +509,10 @@ def chunk_sRGB(self, pos, length):
         # 3 absolute colorimetric
 
         s = ImageFile._safe_read(self.fp, length)
+        if length < 1:
+            if ImageFile.LOAD_TRUNCATED_IMAGES:
+                return s
+            raise ValueError("Truncated sRGB chunk")
         self.im_info["srgb"] = s[0]
         return s