diff --git a/Tests/LibGfx/TestImageDecoder.cpp b/Tests/LibGfx/TestImageDecoder.cpp index b0071da319..35f2915ba1 100644 --- a/Tests/LibGfx/TestImageDecoder.cpp +++ b/Tests/LibGfx/TestImageDecoder.cpp @@ -73,7 +73,8 @@ TEST_CASE(test_ico_malformed_frame) { Array test_inputs = { TEST_INPUT("ico/oss-fuzz-testcase-62541.ico"sv), - TEST_INPUT("ico/oss-fuzz-testcase-63177.ico"sv) + TEST_INPUT("ico/oss-fuzz-testcase-63177.ico"sv), + TEST_INPUT("ico/oss-fuzz-testcase-63357.ico"sv) }; for (auto test_input : test_inputs) { diff --git a/Tests/LibGfx/test-inputs/ico/oss-fuzz-testcase-63357.ico b/Tests/LibGfx/test-inputs/ico/oss-fuzz-testcase-63357.ico new file mode 100644 index 0000000000..8e0374d496 Binary files /dev/null and b/Tests/LibGfx/test-inputs/ico/oss-fuzz-testcase-63357.ico differ diff --git a/Userland/Libraries/LibGfx/ImageFormats/BMPLoader.cpp b/Userland/Libraries/LibGfx/ImageFormats/BMPLoader.cpp index 0122ddd726..86bd6b32a8 100644 --- a/Userland/Libraries/LibGfx/ImageFormats/BMPLoader.cpp +++ b/Userland/Libraries/LibGfx/ImageFormats/BMPLoader.cpp @@ -820,12 +820,12 @@ static ErrorOr decode_bmp_dib(BMPLoadingContext& context) u8 header_size = context.is_included_in_ico ? 0 : bmp_header_size; - if (context.file_size < (u8)(header_size + 4)) + if (context.file_size < header_size + 4u) return Error::from_string_literal("File size too short"); InputStreamer streamer(context.file_bytes + header_size, 4); - u32 dib_size = streamer.read_u32(); + u64 dib_size = streamer.read_u32(); if (context.file_size < header_size + dib_size) return Error::from_string_literal("File size too short"); @@ -837,7 +837,7 @@ static ErrorOr decode_bmp_dib(BMPLoadingContext& context) // NOTE: If this is a headless BMP (embedded on ICO files), then we can only infer the data_offset after we know the data table size. // We are also assuming that no Extra bit masks are present - u32 dib_offset = dib_size; + u64 dib_offset = dib_size; if (!context.is_included_in_ico) { if (context.data_offset < header_size + 4u) return Error::from_string_literal("Data offset too small");