From f56ae8c0e9d4ef5e07794b2368e6c10096318c7a Mon Sep 17 00:00:00 2001
From: Tim Ledbetter <timledbetter@gmail.com>
Date: Mon, 30 Oct 2023 16:35:40 +0000
Subject: [PATCH] LibGfx/ILBM: Ensure CMAP chunk size matches expected value

The color map should be 3 bytes per pixel and should contain
`2^nPlanes` pixels. We now return an error if the color map isn't the
size we expect.
---
 Tests/LibGfx/TestImageDecoder.cpp                |   1 +
 .../test-inputs/ilbm/incorrect-cmap-size.iff     | Bin 0 -> 8042 bytes
 .../Libraries/LibGfx/ImageFormats/ILBMLoader.cpp |   3 +++
 3 files changed, 4 insertions(+)
 create mode 100644 Tests/LibGfx/test-inputs/ilbm/incorrect-cmap-size.iff

diff --git a/Tests/LibGfx/TestImageDecoder.cpp b/Tests/LibGfx/TestImageDecoder.cpp
index deeb1439a0..b05fc35477 100644
--- a/Tests/LibGfx/TestImageDecoder.cpp
+++ b/Tests/LibGfx/TestImageDecoder.cpp
@@ -154,6 +154,7 @@ TEST_CASE(test_ilbm_malformed_header)
 TEST_CASE(test_ilbm_malformed_frame)
 {
     Array test_inputs = {
+        TEST_INPUT("ilbm/incorrect-cmap-size.iff"sv),
         TEST_INPUT("ilbm/incorrect-uncompressed-size.iff"sv),
         TEST_INPUT("ilbm/missing-body-chunk.iff"sv)
     };
diff --git a/Tests/LibGfx/test-inputs/ilbm/incorrect-cmap-size.iff b/Tests/LibGfx/test-inputs/ilbm/incorrect-cmap-size.iff
new file mode 100644
index 0000000000000000000000000000000000000000..98c2a17594f6a2acf3eaccd73719bc6dbb5405d6
GIT binary patch
literal 8042
zcmeHMu}&L75Pjz}5+#<BHlQmJr9Z$nP5_A$CgOxrq~RZsOI)7v8L1*8@c~?sHicUX
z7l;xGEK^{d;^3CqHOJ&;3tFU1b$;W~>gnCP*`3)hdtYN<^=N0e6L;e6E`Sd~3xDW|
z5WxW0Xj;4(w|f-&G#ZWQVT?)BbQs|>!88L>Y_{Vq`lF6u1>N4xn)}_vMrW`4jn=P?
z5nzy~_;owPO+F0@Bk>q>pp|#SgCx1gFYz=tUSNy@;aU{^ydH+<S(X<@;xT3jR~n7|
zJPD8c{l7CKv1PJMOnwlPGh%W_Osd#1sS}gWN%EbTTsbDyfMZgNqIF_&nq|KolL~fB
zf=1&bF*)q_PaKm9em|NNz{$PA<AmP%ayqyNY7eD4euT1Hlv1DAH)dsNOPx5tx%8$g
z`uMn9b%rIYQ?mcW%E<_?D}5v}XTI2}C;i0%&XvCM@jq;>-yGZ0aZ4h?>q@Ul%$cg~
zguZ2|q#t3$q?QtMrfRF&zE&{1=Wq$|iUhmHuK{u|(wboR!BPcJN-w~<s;%8m<=!PR
z>*Y!51vpo=Rc#m5j+~%pus6^D{N>O`rRQ5cgDpB8Jtt^iraiCg`~5D=k8l;0eVD|Y
zsr6R-GVROCS==2EypF&s;QdSvb(*RZ=ECUIU2h`h<bt;*4eAs1iTXruHtmk_GO+w_
HZhM~rhQW+C

literal 0
HcmV?d00001

diff --git a/Userland/Libraries/LibGfx/ImageFormats/ILBMLoader.cpp b/Userland/Libraries/LibGfx/ImageFormats/ILBMLoader.cpp
index 025c141e4b..f25df74d42 100644
--- a/Userland/Libraries/LibGfx/ImageFormats/ILBMLoader.cpp
+++ b/Userland/Libraries/LibGfx/ImageFormats/ILBMLoader.cpp
@@ -298,6 +298,9 @@ static ErrorOr<void> decode_iff_chunks(ILBMLoadingContext& context)
     while (!chunks.is_empty()) {
         auto chunk = TRY(decode_iff_advance_chunk(chunks));
         if (chunk.type == FourCC("CMAP")) {
+            if (chunk.data.size() != (1ul << context.bm_header.planes) * 3)
+                return Error::from_string_literal("Invalid CMAP chunk size");
+
             context.color_table = TRY(decode_cmap_chunk(chunk));
         } else if (chunk.type == FourCC("BODY")) {
             if (context.color_table.is_empty())