From d6ad91e3672c766c007cc30b40309770b6345cce Mon Sep 17 00:00:00 2001
From: Doll <2445607427@qq.com>
Date: Tue, 23 Jun 2026 12:50:17 +0800
Subject: [PATCH] fix: fix PNG chunk header bounds check in logo decoder

---
 scripts/sync-logos.ts | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/scripts/sync-logos.ts b/scripts/sync-logos.ts
index 80588fab..44e72cbf 100644
--- a/scripts/sync-logos.ts
+++ b/scripts/sync-logos.ts
@@ -70,7 +70,9 @@ function decodePngPixels(buf: ArrayBuffer) {
     (bytes[20] << 24) | (bytes[21] << 16) | (bytes[22] << 8) | bytes[23];
   const idatChunks: Buffer[] = [];
   let offset = 8;
-  while (offset < bytes.length - 4) {
+  // A chunk header is 8 bytes (4-byte length + 4-byte type), so we need at
+  // least 8 bytes remaining to read one safely.
+  while (offset <= bytes.length - 8) {
     const len =
       (bytes[offset] << 24) |
       (bytes[offset + 1] << 16) |