The PNG spec actually has wording to disallow data past the end. https://w3c.github.io/PNG-spec/#15FileConformance "3. No chunks or other content follow the IEND chunk."

(I'm the PNG spec chair and also the person who discovered Snipping Tool is vulnerable.)

However, it also says:

> The PNG decoder has to determine whether a syntax error is fatal (unrecoverable) or not, depending on its requirements and the situation. For example, most decoders can ignore an invalid IEND

It doesn't explicitly mention what decoders should do on encountering data after IEND, but The general philosophy for decoders seems to be that errors should be handled gracefully where possible, even if the file is technically malformed (which is maybe something that could be clarified or expanded upon?)

Back in the olden days, when people were using protocols like Kermit and XModem to download their questionable images from BBS's, You would often get a file whose size was rounded up to the nearest block size. In that situation, failing for extra data at the end would have been a fatal move for someone implementing an image decoder, and I think PNG might be just barely old enough that the designers remembered that.

From a usability perspective, it's preferable to recover from and workaround any data stream errors rather than crash with an exception error.

Why? Because users have stuff to do. They don't know about and don't care for errors.

The most prominent example are web browsers. Browsers are supposed to crash when fed invalid HTML, and this was even mandated when XHTML was trying to replace HTML. Users fucking hated it, and XHTML crashed and burned and HTML with its error-safe handling has stayed to this day.

Thanks for explaining, from a user perspective the best thing to do is definitely graceful recovery, but bugs like this highlight that there's value to the ecosystem in failing loudly whenever anything is out of spec. The appropriate balance of those behaviors is obviously a function of the nature of the ecosystem, and could be different for different tools. I'd suggest that for PNG in particular, one reasonable behavior would be to show a little red "File corrupted!" warning or popup for these sort of out-of-spec-but-probably-recoverable issues, which would probably have been noticed and filed as a bug for the developers of these tools, even if only a small fraction of viewers had that behavior. Something like a thumbnail viewer should maybe just opt to early-abort whenever anything sketchy is going on, especially since out-of-spec behaviors can lead to security issues.

True, true. I respect it. :)

For others, Retr0id has been helping with the PNG spec. A third edition is in the works.

Or, like PDF, require the file to be interpreted starting from the end.