From f56ae8c0e9d4ef5e07794b2368e6c10096318c7a Mon Sep 17 00:00:00 2001
From: Tim Ledbetter <timledbetter@gmail.com>
Date: Mon, 30 Oct 2023 16:35:40 +0000
Subject: [PATCH] LibGfx/ILBM: Ensure CMAP chunk size matches expected value

The color map should be 3 bytes per pixel and should contain
`2^nPlanes` pixels. We now return an error if the color map isn't the
size we expect.
---
 Tests/LibGfx/TestImageDecoder.cpp                |   1 +
 .../test-inputs/ilbm/incorrect-cmap-size.iff     | Bin 0 -> 8042 bytes
 .../Libraries/LibGfx/ImageFormats/ILBMLoader.cpp |   3 +++
 3 files changed, 4 insertions(+)
 create mode 100644 Tests/LibGfx/test-inputs/ilbm/incorrect-cmap-size.iff

diff --git a/Tests/LibGfx/TestImageDecoder.cpp b/Tests/LibGfx/TestImageDecoder.cpp
index deeb1439a0..b05fc35477 100644
--- a/Tests/LibGfx/TestImageDecoder.cpp
+++ b/Tests/LibGfx/TestImageDecoder.cpp
@@ -154,6 +154,7 @@ TEST_CASE(test_ilbm_malformed_header)
 TEST_CASE(test_ilbm_malformed_frame)
 {
     Array test_inputs = {
+        TEST_INPUT("ilbm/incorrect-cmap-size.iff"sv),
         TEST_INPUT("ilbm/incorrect-uncompressed-size.iff"sv),
         TEST_INPUT("ilbm/missing-body-chunk.iff"sv)
     };
diff --git a/Tests/LibGfx/test-inputs/ilbm/incorrect-cmap-size.iff b/Tests/LibGfx/test-inputs/ilbm/incorrect-cmap-size.iff
new file mode 100644
index 0000000000000000000000000000000000000000..98c2a17594f6a2acf3eaccd73719bc6dbb5405d6
GIT binary patch
literal 8042
zcmZ?s5AtPTkWcdTaq@NY^>ATeU=U$+U^v0Rz`(%Fz}UdRpko5!JNr5YFfcI4ojG%c
zfq~)w|Nk8w9jlZW?uIhF+s(kx!QkxZ>(0Qyz{0>Nz~B<#sQ_l1Fz7h>yF@ZD$TQt!
zU}R|c-NCTp^(ux}zuz(b`;X4Q$?%PV!Qr<Hb4Y0D)!%m+{(k$9A#ju79|N<3lG38*
ztC)A~-u?UEe{}v$hA#}v0)m2pzeAZz%geui`H#*AxrF0)2SeBERSfHXzhiv=pOFET
z4|WO5Zx?3Q(9qc5cNy-3U4kkAb_tV`lGgK8%&T|r-Vb&O3LoqeMnOT*-=WOm<>mEY
zm!R-LE*TtQ@{fU`{_}r^KW`YA88|u`J~J>deT9V%rpP}A28YiK3@mRzF$M}2NAz$)
z2q4t{V_-%JA51>X)GrLIpl}Ke{EG-VbP<HP=;;WZk5CCsP66oY3n73|i=M79`ADt>
zr8lr^VJVIkO$1>sdRjy0BUFB4U>FTs2K12pf+2zkG4!xR=Oa{(hV2^$%#g$sL4+83
zSfcY0Do4Y1G;HCu1E@Yn6t5TsFe24pmapjb{AhU#YGc4c0V60e1V+Oa)aF8j0(!du
zosUq75tJAL2(_c>7Ss+z4@-1DBD^qy5<>u?b~J29!xmDLVD=Tz`x3BnakTFMN;9Kv
zu+cUcB<ElhuNVTO<?U!Y0W!#ik`hM8Y8cS_xafRDcu~2$g^tC&XJBB24}qa@2G7VL
z$R((wr|6+H@<vlf!vs9m4H^T5kHU|J$!M7T`wyNIK}i>*vooV%0vgvs9qk(plhH8w
M_8&aQI&5Zp0fxbhHvj+t

literal 0
HcmV?d00001

diff --git a/Userland/Libraries/LibGfx/ImageFormats/ILBMLoader.cpp b/Userland/Libraries/LibGfx/ImageFormats/ILBMLoader.cpp
index 025c141e4b..f25df74d42 100644
--- a/Userland/Libraries/LibGfx/ImageFormats/ILBMLoader.cpp
+++ b/Userland/Libraries/LibGfx/ImageFormats/ILBMLoader.cpp
@@ -298,6 +298,9 @@ static ErrorOr<void> decode_iff_chunks(ILBMLoadingContext& context)
     while (!chunks.is_empty()) {
         auto chunk = TRY(decode_iff_advance_chunk(chunks));
         if (chunk.type == FourCC("CMAP")) {
+            if (chunk.data.size() != (1ul << context.bm_header.planes) * 3)
+                return Error::from_string_literal("Invalid CMAP chunk size");
+
             context.color_table = TRY(decode_cmap_chunk(chunk));
         } else if (chunk.type == FourCC("BODY")) {
             if (context.color_table.is_empty())