Merge branch 'main' into dependabot/github_actions/actions/checkout-6

Author: JimBobSquarePants

src/ImageSharp/Formats/Bmp/BmpDecoderCore.cs

@@ -1548,6 +1548,12 @@ private int ReadImageHeaders(BufferedReadStream stream, out bool inverted, out b
                     case BmpFileMarkerType.Bitmap:
                         if (this.fileHeader.HasValue)
                         {
+                            if (this.fileHeader.Value.Offset > stream.Length)
+                            {
+                                BmpThrowHelper.ThrowInvalidImageContentException(
+                                    $"Pixel data offset {this.fileHeader.Value.Offset} exceeds file size {stream.Length}.");
+                            }
+
                             colorMapSizeBytes = this.fileHeader.Value.Offset - BmpFileHeader.Size - this.infoHeader.HeaderSize;
                         }
                         else

tests/ImageSharp.Tests/Formats/Bmp/BmpDecoderTests.cs

@@ -572,6 +572,7 @@ public void BmpDecoder_ThrowsException_Issue2696<TPixel>(TestImageProvider<TPixe
         Assert.IsType<InvalidMemoryOperationException>(ex.InnerException);
     }
 
+    // https://github.com/SixLabors/ImageSharp/issues/3067
     [Fact]
     public void BmpDecoder_ThrowsException_Issue3067()
     {
@@ -594,4 +595,32 @@ public void BmpDecoder_ThrowsException_Issue3067()
             using Image image = BmpDecoder.Instance.Decode(DecoderOptions.Default, stream);
         });
     }
+
+    // https://github.com/SixLabors/ImageSharp/issues/3074
+    [Fact]
+    public void BmpDecoder_ThrowsException_Issue3074()
+    {
+        // Crafted BMP: pixel data offset = 0x7FFFFFFF, actual file = 35 bytes
+        byte[] data =
+        [
+            0x42, 0x4D,                         // "BM" signature
+            0x3A, 0x00, 0x00, 0x00,             // file size: 58
+            0x00, 0x00, 0x00, 0x00,             // reserved
+            0xFF, 0xFF, 0xFF, 0x7F,             // pixel offset: 0x7FFFFFFF (2,147,483,647)
+            0x28, 0x00, 0x00, 0x00,             // DIB header size: 40
+            0x01, 0x00, 0x00, 0x00,             // width: 1
+            0x01, 0xFF, 0x00, 0x00,             // height: 65281
+            0x01, 0x00,                         // color planes: 1
+            0x08, 0x00,                         // bits per pixel: 8
+            0x00, 0x00, 0x00, 0x00,             // compression: RGB
+            0x00, 0x00, 0x00 // (truncated)
+        ];
+
+        using MemoryStream stream = new(data);
+
+        Assert.Throws<InvalidImageContentException>(() =>
+        {
+            using Image<Rgba32> image = Image.Load<Rgba32>(stream);
+        });
+    }
 }