From bc6638682da6d8eca8267e603dfec84b48832902 Mon Sep 17 00:00:00 2001 From: Tim Ledbetter Date: Sun, 8 Oct 2023 13:53:51 +0100 Subject: [PATCH] LibGfx/BMPLoader: Ensure DIB size and offset are within expected range --- Userland/Libraries/LibGfx/ImageFormats/BMPLoader.cpp | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/Userland/Libraries/LibGfx/ImageFormats/BMPLoader.cpp b/Userland/Libraries/LibGfx/ImageFormats/BMPLoader.cpp index 4a6d4c39b0..fee77bcdb9 100644 --- a/Userland/Libraries/LibGfx/ImageFormats/BMPLoader.cpp +++ b/Userland/Libraries/LibGfx/ImageFormats/BMPLoader.cpp @@ -832,7 +832,17 @@ static ErrorOr decode_bmp_dib(BMPLoadingContext& context) // NOTE: If this is a headless BMP (embedded on ICO files), then we can only infer the data_offset after we know the data table size. // We are also assuming that no Extra bit masks are present - u32 dib_offset = context.is_included_in_ico ? dib_size : context.data_offset - header_size - 4; + u32 dib_offset = dib_size; + if (!context.is_included_in_ico) { + if (context.data_offset < header_size + 4u) + return Error::from_string_literal("Data offset too small"); + + dib_offset = context.data_offset - header_size - 4; + } + + if (dib_offset >= context.file_size) + return Error::from_string_literal("DIB too large"); + streamer = InputStreamer(context.file_bytes + header_size + 4, dib_offset); dbgln_if(BMP_DEBUG, "BMP dib size: {}", dib_size);