From 461bdeda2b54e478cc77f13c96991949a286af30 Mon Sep 17 00:00:00 2001 From: Ben Wiederhake Date: Tue, 1 Dec 2020 22:01:15 +0100 Subject: [PATCH] LibGfx: Fix heap-overflow in BMP RLE The field previously named 'data_size' apparently was misunderstood. --- Libraries/LibGfx/BMPLoader.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Libraries/LibGfx/BMPLoader.cpp b/Libraries/LibGfx/BMPLoader.cpp index b1e66e43ff..2e37c840a6 100644 --- a/Libraries/LibGfx/BMPLoader.cpp +++ b/Libraries/LibGfx/BMPLoader.cpp @@ -931,7 +931,7 @@ static bool uncompress_bmp_rle_data(BMPLoadingContext& context, ByteBuffer& buff return false; } - Streamer streamer(context.file_bytes + context.data_offset, context.file_size); + Streamer streamer(context.file_bytes + context.data_offset, context.file_size - context.data_offset); auto compression = context.dib.info.compression;