From 7cb151bb4c4cfc6018a00a125422ff38a041b9f8 Mon Sep 17 00:00:00 2001
From: adrianiacobghiula <2491756+adrianiacobghiula@users.noreply.github.com>
Date: Mon, 16 Jan 2023 15:50:07 +0100
Subject: [PATCH] fix(context): panic on NegotiateFormat - index out of range
 (#3397)

---
 context.go      | 2 +-
 context_test.go | 8 ++++++++
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/context.go b/context.go
index b1352b9b6e..0474252709 100644
--- a/context.go
+++ b/context.go
@@ -1147,7 +1147,7 @@ func (c *Context) NegotiateFormat(offered ...string) string {
 			// According to RFC 2616 and RFC 2396, non-ASCII characters are not allowed in headers,
 			// therefore we can just iterate over the string without casting it into []rune
 			i := 0
-			for ; i < len(accepted); i++ {
+			for ; i < len(accepted) && i < len(offer); i++ {
 				if accepted[i] == '*' || offer[i] == '*' {
 					return offer
 				}
diff --git a/context_test.go b/context_test.go
index 85e0a6161e..827ee0fafd 100644
--- a/context_test.go
+++ b/context_test.go
@@ -1311,6 +1311,14 @@ func TestContextNegotiationFormatCustom(t *testing.T) {
 	assert.Equal(t, MIMEJSON, c.NegotiateFormat(MIMEJSON))
 }
 
+func TestContextNegotiationFormat2(t *testing.T) {
+	c, _ := CreateTestContext(httptest.NewRecorder())
+	c.Request, _ = http.NewRequest("POST", "/", nil)
+	c.Request.Header.Add("Accept", "image/tiff-fx")
+
+	assert.Equal(t, "", c.NegotiateFormat("image/tiff"))
+}
+
 func TestContextIsAborted(t *testing.T) {
 	c, _ := CreateTestContext(httptest.NewRecorder())
 	assert.False(t, c.IsAborted())