From 7572a355fd4473b32545756e452bf01b0ecc6fd2 Mon Sep 17 00:00:00 2001
From: Idan Horowitz <idan.horowitz@gmail.com>
Date: Sat, 29 May 2021 17:47:12 +0300
Subject: [PATCH] LibGfx: Reject ICOs with height == NumericLimits<i32>::min()

Bitmap files use negative height values to signify that the image
should be rendered top down, but if the height value equals to the
minimum value, negating it to get the actual height results in UB.
---
 Userland/Libraries/LibGfx/ICOLoader.cpp | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/Userland/Libraries/LibGfx/ICOLoader.cpp b/Userland/Libraries/LibGfx/ICOLoader.cpp
index 4812f791a0..84bc199ab6 100644
--- a/Userland/Libraries/LibGfx/ICOLoader.cpp
+++ b/Userland/Libraries/LibGfx/ICOLoader.cpp
@@ -210,6 +210,13 @@ static bool load_ico_bmp(ICOLoadingContext& context, ICOImageDescriptor& desc)
             printf("load_ico_bmp: width %d < 0\n", info.width);
         return false;
     }
+
+    if (info.height == NumericLimits<i32>::min()) {
+        if constexpr (ICO_DEBUG)
+            printf("load_ico_bmp: height == NumericLimits<i32>::min()\n");
+        return false;
+    }
+
     bool topdown = false;
     if (info.height < 0) {
         topdown = true;