From bc6ae54b59eefa44016ca39d2898daaa9e52bca0 Mon Sep 17 00:00:00 2001
From: Tim Ledbetter <timledbetter@gmail.com>
Date: Sat, 7 Oct 2023 10:02:32 +0100
Subject: [PATCH] LibGfx/PNGLoader: Don't allow multiple consecutive IHDR
 chunks

---
 Userland/Libraries/LibGfx/ImageFormats/PNGLoader.cpp | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/Userland/Libraries/LibGfx/ImageFormats/PNGLoader.cpp b/Userland/Libraries/LibGfx/ImageFormats/PNGLoader.cpp
index aa8f8294c4..6cbf987481 100644
--- a/Userland/Libraries/LibGfx/ImageFormats/PNGLoader.cpp
+++ b/Userland/Libraries/LibGfx/ImageFormats/PNGLoader.cpp
@@ -1237,8 +1237,12 @@ static ErrorOr<void> process_chunk(Streamer& streamer, PNGLoadingContext& contex
     }
     dbgln_if(PNG_DEBUG, "Chunk type: '{}', size: {}, crc: {:x}", chunk_type, chunk_size, chunk_crc);
 
-    if (chunk_type == "IHDR"sv)
+    if (chunk_type == "IHDR"sv) {
+        if (context.state >= PNGLoadingContext::IHDRDecoded)
+            return Error::from_string_literal("Multiple IHDR chunks");
+
         return process_IHDR(chunk_data, context);
+    }
 
     if (context.state < PNGLoadingContext::IHDRDecoded)
         return Error::from_string_literal("IHDR is not the first chunk of the file");