From fc5b6e4ddaf338780d567a9ff2cc1eb619a55e7c Mon Sep 17 00:00:00 2001
From: Nicolas Ramz <nicolas.ramz@gmail.com>
Date: Fri, 5 Jan 2024 17:09:29 +0100
Subject: [PATCH] LiGfx/ILBMLoader: Don't throw if malformed bitplane can be
 decoded

Some apps seem to generate malformed images that are accepted
by most readers. We now only throw if malformed data would lead to
a write outside the chunky buffer.
---
 Tests/LibGfx/TestImageDecoder.cpp                |  11 +++++++++++
 .../test-inputs/ilbm/brush-transparent-color.iff | Bin 0 -> 4858 bytes
 .../Libraries/LibGfx/ImageFormats/ILBMLoader.cpp |   8 +++++++-
 3 files changed, 18 insertions(+), 1 deletion(-)
 create mode 100644 Tests/LibGfx/test-inputs/ilbm/brush-transparent-color.iff

diff --git a/Tests/LibGfx/TestImageDecoder.cpp b/Tests/LibGfx/TestImageDecoder.cpp
index f9f7022d1a..ffd47e6a3e 100644
--- a/Tests/LibGfx/TestImageDecoder.cpp
+++ b/Tests/LibGfx/TestImageDecoder.cpp
@@ -243,6 +243,17 @@ TEST_CASE(test_24bit)
     EXPECT_EQ(frame.image->get_pixel(158, 270), Gfx::Color(0xee, 0x3d, 0x3c, 255));
 }
 
+TEST_CASE(test_brush_transparent_color)
+{
+    auto file = MUST(Core::MappedFile::map(TEST_INPUT("ilbm/brush-transparent-color.iff"sv)));
+    EXPECT(Gfx::ILBMImageDecoderPlugin::sniff(file->bytes()));
+    auto plugin_decoder = TRY_OR_FAIL(Gfx::ILBMImageDecoderPlugin::create(file->bytes()));
+
+    auto frame = TRY_OR_FAIL(expect_single_frame_of_size(*plugin_decoder, { 266, 309 }));
+
+    EXPECT_EQ(frame.image->get_pixel(114, 103), Gfx::Color::NamedColor::Black);
+}
+
 TEST_CASE(test_ilbm_malformed_header)
 {
     Array test_inputs = {
diff --git a/Tests/LibGfx/test-inputs/ilbm/brush-transparent-color.iff b/Tests/LibGfx/test-inputs/ilbm/brush-transparent-color.iff
new file mode 100644
index 0000000000000000000000000000000000000000..ed5e7268f60a30bcce54d8bacb8af38027d40d7d
GIT binary patch
literal 4858
zcmZ?s5AtPT5c=fl<K*k)>*2z{z#ziN#c0Zq%V5RK#Mr>VAST7sz&OF#*D-*BfkEQT
znKKLw4FCWC@95}QrNnSIl;PcO28Ip>_aH|n1_lNehE|4I&W^tBU^e3f7MB1|1u$ER
zLCneDC6a+bsP#Sr`S2qHgTe=}{*Md{25?pZoK*p5)nH-$gNq?p|6yW`{~JDnjsC>I
zgvvgEB>n&^oB96-xHu~N2V9)}{~sLee@Np0;cWi@a5gjl|Njl2ppFA^4q)fV|Ns90
zE`!ebfGqO^&awah|Hp3z2F9N-<L&?d|MQ!Hk+I<ylE}Z`42;YOk^2At!6FA>Y8dMO
z{Rb&Q5nyQe!@$V?09g%0=mSjX?|+5^AT{U${6COXJov-Fh$8R-B=85K;xhvS<KO=b
zAR+mGC_+E}FfgJC{Q(L6hpS@#`=0?MWREKJ?+*i${r`sFVDEosU;rt@5c~804+B&E
z{{wJU?0^0<H2ejLJs>D{;4j1f{|p~c)IC5G<Nx!Y0V4JTt_~#j;U5DtBRGmc+2}I^
z14!@(9>ITb?ec&AGyM6-z|0JeJ*al5AOkZf0+Gc2{bK-$fg%hlYXAHHKL!T&fB&(H
z9ryzaFZ<vBnHwMqQ3Ve`1Ruav*8l#`e1L(0{~tI4q1J!|A7B&w01^CwqWuE{gZ#h$
z3~<3;|CxV4g#N(PVHf(tz+nIHKf^yHRsR?m?En6U2z+5+VEpx;8CmE%1B3jx|Nj{n
z>i>eH8sy&J3=Hg_{xdb;6g%)294ruZj0YGXv5L@&P3Qqg)dv)f9~l4qXTT!#14Y#j
zkg7i@LVuV+k&Y?!4@Kx7NEMRM$NvoMzyBkYK==#||KOha_@ANu_kT2z{@?!@4xp$x
zk0J8@_kV^52sN+Jc^^>Ze&FH#L6Jk{{X@vT{Ev&x)W87u&r47wBJ&R5mP45L>OTXL
zO|QV&3l_H+JXF7+`V%!okizg4N*KRF#0mfF{|ty21Mv_MFaP>K10rRh^6XzDCnON>
z0X&}TU;k%7Bv=ry0VekfnlFAcfb50jkv|L!jIY5(D9F!H9yBLHc^}{^L8a*55Acls
zhk*f<=ITHGXMmOme;61*W$68n;5q?nB1q)>M|g?z2U6Vq{P-VIs6qMvKK*Ba7IS|X
z803HdXW0MwKf@om8j#5Q&;J>qB`GND|NhVL`!l=@hKl_8{GS0@djDZysQ>k!!Tt-n
z$oVh-8K9;9ABLa*89smc&j76}!2BOyptT8z$N10w+kXaVz4VuXf$_(GhW>B=8K9LH
zROIou{|wLy?=J%b^N;@wAHV%)fYyl+5yn6D-~Tf}tJ1#=4D8?kGst6z9RL2G0a^q9
zWnkd{{-5FF_x}vgY8xWL_@n;Ee@I>bmjPr1<3IVI{~7)vgueY}X#e@2;SXE{<b{Vn
z|1<nR7GeAV3Z4%rLVx6c{bzUp7pnjIpMn3^e})4nB8QPhzJR>>pP>P!;>&-=ANIfh
z{{Uyie+&$aU;Z=x166SU5JI2-Gc<$BG`I*eDAxY`XZV3E!uY`+)GUAtv48&0_=o@R
ze})GLp-=z8b^8Ih2>&Ng`v1?+fGooJp&nG_p$Pqu|M&kp%#re+{<HjJ|Ns9VLgeFr
z=End3|G)+8KmKQaQ2+l2iogf?{~zE2^&kH;|6%|C03q<<KNI8s12F#k|4aw!8xTCk
z5Axr@4*1W&!1(?@;}2BszdE=q^Sl2He^7Wo;5_zs{~0DA^Zqa}2tcyUe+CBjcmMw|
zFciS~{O`d<4kIHpAN^-w015s1%fQHt5R!inE_@jIF@@w2LiX?fgX%NJdT1{F&%gi@
zdhid__(q7;zX#VSOw6D*DX2^URliU%euUUNa4E?o4{DV{RK5ETZi_)n1x8R9fr@HS
z(+NWi(H;Vs{sCNygBm3WkAL{j@Z%r2SpgSg1eIm~7$6N_ke#5W!pHy2AHWS#h%!(U
z3Ka8@He>^&Ed0yBQ2z<i?g6zU;DY?0z|AIk6hTIaAh^W=Q3)!lK7(2zpt>H~z5*4U
zU%-tOP?-u9{LS#?KQpv|gbOjqe+3JIT73vX=C9yZQ$4700<q;61B3my|4bhk7(vxF
zT#WtOf2Icv%m}fc3}6v{WD!uQ!gPSa{x`g^|H;6>{2f%m)+5AzFfi2r_|FJxWr14n
zpb-4Qz`zd@V*Ul!`2*B5`OowZT#!JkmhTJ<_P_o!{Q;4%hTnGv2IgP?nSOu^ZK%3$
z3=H+Z|1<tz1eIM7FMMNQ;Q#%f@dGocfP)J${{GMSfFB|BmEre)#sl^Ufo}|;a9})8
zk1oW}_ygXAgeU?R-_S<oH*g)t_>Uh&5%Zt_jQ{L0gg^y6+(n>j@8>sYmHQ1+F@8qo
ze?Z9be}K0}LEa;pC;tId*n!KCZww3=Jh)rzKf;^W-xwG`JZQoJ@jk(;Sx{(yf>)Lh
z9;BxQVuLDQ7!Op)!q}hTRnIpDP%#dv2);8gFn)&C0wDGmc;OD^L5plqtbhH_04;c-
zJZPB;<w1+g?+gs=pjsAE)<Jm(5WMgI8UB3*hXqLP`+tTHa2}`{Z9wpT{Ac*{1*Q@d
zvj^Zja7FqVCI{kuK;bpOdG^2lGyH*c!6B)c0orc|@qYhjfQ|@!2d7{L=-2|32OXsV
z@j%reWccDc11JX~*zcjP0QDLmY*0=Dbx{#KQ1AC0SRF_XR5ikR%zyvCg~>33x>qQ?
z127(_C;8_MR3S6_|NjqQ947Yv|6fBTnArdSfV27kAAqqL`TxCwDq-Y*0An)9zk~`h
NNI+PiqJi3&0RSYw8u0)C

literal 0
HcmV?d00001

diff --git a/Userland/Libraries/LibGfx/ImageFormats/ILBMLoader.cpp b/Userland/Libraries/LibGfx/ImageFormats/ILBMLoader.cpp
index 822f151b3c..8e2cebee1d 100644
--- a/Userland/Libraries/LibGfx/ImageFormats/ILBMLoader.cpp
+++ b/Userland/Libraries/LibGfx/ImageFormats/ILBMLoader.cpp
@@ -211,13 +211,19 @@ static ErrorOr<ByteBuffer> planar_to_chunky(ReadonlyBytes bitplanes, ILBMLoading
         for (u8 p = 0; p < planes; p++) {
             u8 const plane_mask = 1 << (p % 8);
             size_t offset_base = (pitch * planes * y) + (p * pitch);
-            if (offset_base + pitch > bitplanes.size() || scanline + ((pitch - 1) * 8) + 7 >= chunky.size())
+            if (offset_base + pitch > bitplanes.size())
                 return Error::from_string_literal("Malformed bitplane data");
 
             for (u16 i = 0; i < pitch; i++) {
                 u8 bit = bitplanes[offset_base + i];
                 u8 rgb_shift = p / 8;
 
+                // Only throw an error if we would actually attempt to write
+                // outside of the chunky buffer. Some apps like PPaint produce
+                // malformed bitplane data but files are still accepted by most readers.
+                if (bit && scanline + ((pitch - 1) * 8) + 7 >= chunky.size())
+                    return Error::from_string_literal("Malformed bitplane data");
+
                 for (u8 b = 0; b < 8; b++) {
                     u8 mask = 1 << (7 - b);
                     // get current plane