From b7176d5cfa119feb0d37e35a8093119a308b5090 Mon Sep 17 00:00:00 2001
From: mintsuki <mintsuki@protonmail.com>
Date: Sat, 25 Sep 2021 02:02:21 +0200
Subject: [PATCH] bmp: Ensure that bf_offset + bf_size <= file size

---
 stage23/lib/bmp.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/stage23/lib/bmp.c b/stage23/lib/bmp.c
index 320ca242..1dada797 100644
--- a/stage23/lib/bmp.c
+++ b/stage23/lib/bmp.c
@@ -40,7 +40,15 @@ int bmp_open_image(struct image *image, struct file_handle *file) {
         return -1;
 
     image->img = ext_mem_alloc(header.bf_size);
-    fread(file, image->img, header.bf_offset, header.bf_size);
+
+    uint32_t bf_size;
+    if (header.bf_offset + header.bf_size > file->size) {
+        bf_size = file->size - header.bf_offset;
+    } else {
+        bf_size = header.bf_size;
+    }
+
+    fread(file, image->img, header.bf_offset, bf_size);
 
     image->x_size     = header.bi_width;
     image->y_size     = header.bi_height;