Merge pull request #3091 from SixLabors/af/backport-3075-to-3.1

JimBobSquarePants · web-flow · commit 634f5545ca6f · 2026-03-22T20:53:16.000+10:00
[3.1] Backport #3075 - Add check, if Offset is greater then stream length when reading bitmap colorMapSize
diff --git a/src/ImageSharp/Formats/Bmp/BmpDecoderCore.cs b/src/ImageSharp/Formats/Bmp/BmpDecoderCore.cs
@@ -1445,6 +1445,12 @@ private int ReadImageHeaders(BufferedReadStream stream, out bool inverted, out b
                 switch (this.fileMarkerType)
                 {
                     case BmpFileMarkerType.Bitmap:
+                        if (this.fileHeader.Offset > stream.Length)
+                        {
+                            BmpThrowHelper.ThrowInvalidImageContentException(
+                                $"Pixel data offset {this.fileHeader.Offset} exceeds file size {stream.Length}.");
+                        }
+
                         colorMapSizeBytes = this.fileHeader.Offset - BmpFileHeader.Size - this.infoHeader.HeaderSize;
                         int colorCountForBitDepth = ColorNumerics.GetColorCountForBitDepth(this.infoHeader.BitsPerPixel);
                         bytesPerColorMapEntry = colorMapSizeBytes / colorCountForBitDepth;
diff --git a/tests/ImageSharp.Tests/Formats/Bmp/BmpDecoderTests.cs b/tests/ImageSharp.Tests/Formats/Bmp/BmpDecoderTests.cs
@@ -571,6 +571,34 @@ public void BmpDecoder_ThrowsException_Issue2696<TPixel>(TestImageProvider<TPixe
         Assert.IsType<InvalidMemoryOperationException>(ex.InnerException);
     }
 
+    // https://github.com/SixLabors/ImageSharp/issues/3074
+    [Fact]
+    public void BmpDecoder_ThrowsException_Issue3074()
+    {
+        // Crafted BMP: pixel data offset = 0x7FFFFFFF, actual file = 35 bytes
+        byte[] data =
+        [
+            0x42, 0x4D,                         // "BM" signature
+            0x3A, 0x00, 0x00, 0x00,             // file size: 58
+            0x00, 0x00, 0x00, 0x00,             // reserved
+            0xFF, 0xFF, 0xFF, 0x7F,             // pixel offset: 0x7FFFFFFF (2,147,483,647)
+            0x28, 0x00, 0x00, 0x00,             // DIB header size: 40
+            0x01, 0x00, 0x00, 0x00,             // width: 1
+            0x01, 0xFF, 0x00, 0x00,             // height: 65281
+            0x01, 0x00,                         // color planes: 1
+            0x08, 0x00,                         // bits per pixel: 8
+            0x00, 0x00, 0x00, 0x00,             // compression: RGB
+            0x00, 0x00, 0x00 // (truncated)
+        ];
+
+        using MemoryStream stream = new(data);
+
+        Assert.Throws<InvalidImageContentException>(() =>
+        {
+            using Image<Rgba32> image = Image.Load<Rgba32>(stream);
+        });
+    }
+  
     [Fact]
     public void BmpDecoder_ThrowsException_Issue3067()
     {
