diff --git a/Tests/LibGfx/TestImageDecoder.cpp b/Tests/LibGfx/TestImageDecoder.cpp index f800ae0316..deeb1439a0 100644 --- a/Tests/LibGfx/TestImageDecoder.cpp +++ b/Tests/LibGfx/TestImageDecoder.cpp @@ -154,6 +154,7 @@ TEST_CASE(test_ilbm_malformed_header) TEST_CASE(test_ilbm_malformed_frame) { Array test_inputs = { + TEST_INPUT("ilbm/incorrect-uncompressed-size.iff"sv), TEST_INPUT("ilbm/missing-body-chunk.iff"sv) }; diff --git a/Tests/LibGfx/test-inputs/ilbm/incorrect-uncompressed-size.iff b/Tests/LibGfx/test-inputs/ilbm/incorrect-uncompressed-size.iff new file mode 100644 index 0000000000..80e47cf43a Binary files /dev/null and b/Tests/LibGfx/test-inputs/ilbm/incorrect-uncompressed-size.iff differ diff --git a/Userland/Libraries/LibGfx/ImageFormats/ILBMLoader.cpp b/Userland/Libraries/LibGfx/ImageFormats/ILBMLoader.cpp index 119a5fd866..83ad61110a 100644 --- a/Userland/Libraries/LibGfx/ImageFormats/ILBMLoader.cpp +++ b/Userland/Libraries/LibGfx/ImageFormats/ILBMLoader.cpp @@ -176,7 +176,14 @@ static ErrorOr uncompress_byte_run(ReadonlyBytes data, ILBMLoadingCo auto length = data.size(); dbgln_if(ILBM_DEBUG, "uncompress_byte_run pitch={} size={}", context.pitch, data.size()); - auto plane_data = TRY(ByteBuffer::create_uninitialized(context.pitch * context.bm_header.height * context.bm_header.planes)); + size_t plane_data_size = context.pitch * context.bm_header.height * context.bm_header.planes; + + // The maximum run length of this compression method is 127 bytes, so the uncompressed size + // cannot be more than 127 times the size of the chunk we are decompressing. + if (plane_data_size > NumericLimits::max() || ceil_div(plane_data_size, 127ul) > length) + return Error::from_string_literal("Uncompressed data size too large"); + + auto plane_data = TRY(ByteBuffer::create_uninitialized(plane_data_size)); u32 index = 0; u32 read_bytes = 0; @@ -197,6 +204,9 @@ static ErrorOr uncompress_byte_run(ReadonlyBytes data, ILBMLoadingCo } } + if (index != plane_data_size) + return Error::from_string_literal("Unexpected end of chunk while decompressing data"); + return plane_data; }