From 9e3ee0e2b589ec8b28b27a72232a76e5d57e294b Mon Sep 17 00:00:00 2001
From: Tim Ledbetter <timledbetter@gmail.com>
Date: Thu, 12 Oct 2023 20:52:19 +0100
Subject: [PATCH] LibGfx/ILBM: Avoid buffer overrun when reading header chunk

---
 Userland/Libraries/LibGfx/ImageFormats/ILBMLoader.cpp | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/Userland/Libraries/LibGfx/ImageFormats/ILBMLoader.cpp b/Userland/Libraries/LibGfx/ImageFormats/ILBMLoader.cpp
index 50511cb253..6ec65acd15 100644
--- a/Userland/Libraries/LibGfx/ImageFormats/ILBMLoader.cpp
+++ b/Userland/Libraries/LibGfx/ImageFormats/ILBMLoader.cpp
@@ -300,6 +300,9 @@ static ErrorOr<void> decode_bmhd_chunk(ILBMLoadingContext& context)
     if (first_chunk.type != FourCC("BMHD"))
         return Error::from_string_literal("IFFImageDecoderPlugin: Invalid chunk type, expected BMHD");
 
+    if (first_chunk.data.size() < sizeof(BMHDHeader))
+        return Error::from_string_literal("IFFImageDecoderPlugin: Not enough data for header chunk");
+
     context.bm_header = *bit_cast<BMHDHeader const*>(first_chunk.data.data());
     context.pitch = ceil_div((u16)context.bm_header.width, (u16)16) * 2;