From a673062084475de6a33576e796e97a44c02529bb Mon Sep 17 00:00:00 2001
From: Tim Ledbetter <timledbetter@gmail.com>
Date: Wed, 11 Oct 2023 18:12:26 +0100
Subject: [PATCH] LibGfx/BMPLoader: Ensure data offset cannot point past EOF

---
 Userland/Libraries/LibGfx/ImageFormats/BMPLoader.cpp | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/Userland/Libraries/LibGfx/ImageFormats/BMPLoader.cpp b/Userland/Libraries/LibGfx/ImageFormats/BMPLoader.cpp
index fee77bcdb9..2388cbcfb6 100644
--- a/Userland/Libraries/LibGfx/ImageFormats/BMPLoader.cpp
+++ b/Userland/Libraries/LibGfx/ImageFormats/BMPLoader.cpp
@@ -518,6 +518,11 @@ static ErrorOr<void> decode_bmp_header(BMPLoadingContext& context)
     // Ignore reserved bytes
     streamer.drop_bytes(4);
     context.data_offset = streamer.read_u32();
+    if (context.data_offset >= context.file_size) {
+        dbgln_if(BMP_DEBUG, "BMP has invalid data offset: {}", context.data_offset);
+        context.state = BMPLoadingContext::State::Error;
+        return Error::from_string_literal("BMP has invalid data offset");
+    }
 
     if constexpr (BMP_DEBUG) {
         dbgln("BMP file size: {}", context.file_size);
@@ -923,6 +928,12 @@ static ErrorOr<void> decode_bmp_dib(BMPLoadingContext& context)
         }
     }
 
+    if (context.data_offset >= context.file_size) {
+        dbgln_if(BMP_DEBUG, "BMP has invalid data offset: {}", context.data_offset);
+        context.state = BMPLoadingContext::State::Error;
+        return Error::from_string_literal("BMP has invalid data offset");
+    }
+
     context.state = BMPLoadingContext::State::DIBDecoded;
 
     return {};