Fix IDX10816 decompression failure for large JWE payloads in DeflateCompressionProvider

[Copilot]

Problem

The DeflateCompressionProvider.Decompress method was incorrectly throwing IDX10816 errors for large but valid JWE payloads during deflation. This occurred because StreamReader.Read() is not guaranteed to return the maximum number of characters requested, even when more data is available.

The original code performed a single read operation:

int bytesRead = reader.Read(chars, 0, MaximumDeflateSize);
if (reader.Peek() != -1) // This would incorrectly trigger for large payloads
{
    throw new SecurityTokenDecompressionFailedException(IDX10816);
}

When decompressing large payloads, the single Read() call would often return fewer characters than the available data, causing reader.Peek() to detect remaining data and incorrectly conclude the payload exceeded the size limit.

Solution

Modified the decompression logic to read from the stream in a loop until all data is consumed or the maximum size is reached:

int totalCharsRead = 0;
int charsRead;

// Read from the stream until all data is consumed or max size is reached
while (totalCharsRead <= MaximumDeflateSize && (charsRead = reader.Read(chars, totalCharsRead, MaximumDeflateSize - totalCharsRead)) > 0)
{
    totalCharsRead += charsRead;
}

// Only throw error if there's actually more data after reaching the limit
if (reader.Peek() != -1)
{
    throw new SecurityTokenDecompressionFailedException(IDX10816);
}

Testing

Added comprehensive unit tests in DeflateCompressionProviderTests.cs:

• Test successful decompression of large payloads that previously failed
• Test proper error handling when payload actually exceeds maximum size
• Test reproducing the exact scenario from the original issue [Bug] Decryption of larger payload JWE fails with IDX10816 during deflation in DeflateCompressionProvider.cs #2516
• Verified fix with standalone test reproducing the original issue scenario

The fix ensures that:

• Large valid payloads decompress successfully
• The size limit is still properly enforced for truly oversized payloads
• No regression for smaller payloads

Fixes #2516.

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.