/AccessViolationIssue-dotnet-wpf-issues-5125

This is a MVCE for a .NET 5 WPF issue, described at dotnet/wpf/issues/5125

Primary LanguageC#

Test Case For Reproducing .NET 5 WPF Access Violation Issue

This repository provides an MVCE for WPF issue "CroppedBitmap crashes with AccessViolationException".

It comprises a small WPF .NET 5 Visual Studio project with a single window, containing all code necessary to reproduce the issue.

MainWindow screenshot

Steps To Reproduce

  • Download this repository

  • Open, compile and debug the Visual Studio solution contained therein

  • After the compiled program's main window opens, click the "Save" toolbar button located in the upper right corner of the main window: MainWindows Save toolbar button This will call the MainWindow::SaveImage() method.

  • Select a destination to save the expected PNG file to: Save As dialog window The program will now try to convert the main window's content to a PNG file.

    The resulting PNG file is supposed to have a size of 310,000 * 2,000 pixels.

  • The WPF Runtime will refuse to encode a PNG image being this large: WPF cannot save a PNG file this large The PNG standard, however, allows image sizes of up to 232 * 232 pixels.

  • In the message dialog above, hit [Yes] to have the program split the image into slices of approx. 20,000 pixels width each.

  • The WPF Runtime will then run into an AccessViolationException: WPF Runtime AccessViolationException

  • Despite the fact that the corresponding member function is being decorated with the HandleProcessCorruptedStateExceptionsAttribute, the exception is not getting caught.

WPF Issues Demonstrated By This Example

  1. Large PNG files cannot be encoded/created by PngBitmapEncoder.
  2. Saving a PNG file larger than 20,000 * 2,000 pixels raises an AccessViolationException.
  3. The AccessViolationException cannot be caught. The try-catch construct I added to SaveTiledImage doesn't catch the exception although I have added the HandleProcessCorruptedStateExceptionsAttribute to the corresponding method. The program is just getting aborted without any chance for me to catch the exception.

Eventually, this could be a security vulnerability.