diff --git a/Tests/LibGfx/TestImageDecoder.cpp b/Tests/LibGfx/TestImageDecoder.cpp
index deeb1439a0..b05fc35477 100644
--- a/Tests/LibGfx/TestImageDecoder.cpp
+++ b/Tests/LibGfx/TestImageDecoder.cpp
@@ -154,6 +154,7 @@ TEST_CASE(test_ilbm_malformed_header)
 TEST_CASE(test_ilbm_malformed_frame)
 {
     Array test_inputs = {
+        TEST_INPUT("ilbm/incorrect-cmap-size.iff"sv),
         TEST_INPUT("ilbm/incorrect-uncompressed-size.iff"sv),
         TEST_INPUT("ilbm/missing-body-chunk.iff"sv)
     };
diff --git a/Tests/LibGfx/test-inputs/ilbm/incorrect-cmap-size.iff b/Tests/LibGfx/test-inputs/ilbm/incorrect-cmap-size.iff
new file mode 100644
index 0000000000..98c2a17594
Binary files /dev/null and b/Tests/LibGfx/test-inputs/ilbm/incorrect-cmap-size.iff differ
diff --git a/Userland/Libraries/LibGfx/ImageFormats/ILBMLoader.cpp b/Userland/Libraries/LibGfx/ImageFormats/ILBMLoader.cpp
index 025c141e4b..f25df74d42 100644
--- a/Userland/Libraries/LibGfx/ImageFormats/ILBMLoader.cpp
+++ b/Userland/Libraries/LibGfx/ImageFormats/ILBMLoader.cpp
@@ -298,6 +298,9 @@ static ErrorOr<void> decode_iff_chunks(ILBMLoadingContext& context)
     while (!chunks.is_empty()) {
         auto chunk = TRY(decode_iff_advance_chunk(chunks));
         if (chunk.type == FourCC("CMAP")) {
+            if (chunk.data.size() != (1ul << context.bm_header.planes) * 3)
+                return Error::from_string_literal("Invalid CMAP chunk size");
+
             context.color_table = TRY(decode_cmap_chunk(chunk));
         } else if (chunk.type == FourCC("BODY")) {
             if (context.color_table.is_empty())