IOOB in FrameControl.Parse on malformed APNG input (81 bytes)

### Prerequisites

- [x] I have written a descriptive issue title
- [x] I have verified that I am running the latest version of ImageSharp
- [x] I have verified if the problem exist in both `DEBUG` and `RELEASE` mode
- [x] I have searched [open](https://github.com/SixLabors/ImageSharp/issues) and [closed](https://github.com/SixLabors/ImageSharp/issues?q=is%3Aissue+is%3Aclosed) issues to ensure it has not already been reported

### ImageSharp version

3.1.12 (also verified present on current main branch, commit 36334cd9e)

### Other ImageSharp packages and versions

N/A

### Environment (Operating system, version and so on)

Linux x64, WSL2

### .NET Framework version

.NET 10.0

### Description

`FrameControl.Parse` throws `IndexOutOfRangeException` when processing a malformed PNG with a truncated `fcTL` (frame control) chunk. The method expects 26 bytes (`FrameControl.Size`) but does not validate the input length before slicing.

Found via coverage-guided fuzzing with AFL++ and SharpFuzz.

### Steps to Reproduce

```csharp
using SixLabors.ImageSharp;
using SixLabors.ImageSharp.PixelFormats;

var payload = Convert.FromHexString(
    "89504e470d0a1a0a424d3a00000000007f000000000028030405060000000100" +
    "000101002000000000000000000000000000ff00006663544cff190000000000" +
    "010000424d000100000101002000000000");

using var ms = new MemoryStream(payload);
using var image = Image.Load<Rgba32>(ms); // throws IndexOutOfRangeException
```

```
System.IndexOutOfRangeException: Index was outside the bounds of the array.
   at SixLabors.ImageSharp.Formats.Png.Chunks.FrameControl.Parse(ReadOnlySpan`1 data)
   at SixLabors.ImageSharp.Formats.Png.PngDecoderCore.ReadFrameControlChunk(ReadOnlySpan`1 data)
   at SixLabors.ImageSharp.Formats.Png.PngDecoderCore.Decode[TPixel](BufferedReadStream stream, CancellationToken cancellationToken)
```

**Suggested fix:** A bounds check at the top of `Parse` - same pattern as the fixes for #3078 and #3079:

```csharp
public static FrameControl Parse(ReadOnlySpan<byte> data)
{
    if (data.Length < Size)
    {
        PngThrowHelper.ThrowInvalidChunkData("fcTL");
    }

    return new(
        sequenceNumber: BinaryPrimitives.ReadUInt32BigEndian(data[..4]),
        // ... rest unchanged
}
```

### Images

N/A - crash is triggered by the hex payload above (81 bytes, malformed PNG with truncated fcTL chunk).

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

IOOB in FrameControl.Parse on malformed APNG input (81 bytes) #3093

Prerequisites

ImageSharp version

Other ImageSharp packages and versions

Environment (Operating system, version and so on)

.NET Framework version

Description

Steps to Reproduce

Images

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Uh oh!

IOOB in FrameControl.Parse on malformed APNG input (81 bytes) #3093

Description

Prerequisites

ImageSharp version

Other ImageSharp packages and versions

Environment (Operating system, version and so on)

.NET Framework version

Description

Steps to Reproduce

Images

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions