fix(bmp): detect corrupt files where palette doesn't match bpp (#5030)

lgritz · lgritz · commit 91500ed58ce9 · 2026-02-07T03:28:35.000-08:00
Extra protections for corrupted BMP files that claim to be palette
images, but have a BPP that doesn't support palette images. Also an
extra guard around accessing the palette array if it is empty.

Add an extra test case for this kind of corruption.

Signed-off-by: Larry Gritz &lt;lg@larrygritz.com&gt;
diff --git a/src/bmp.imageio/bmpinput.cpp b/src/bmp.imageio/bmpinput.cpp
@@ -259,6 +259,13 @@ BmpInput::open(const std::string& name, ImageSpec& newspec,
     case WINDOWS_V5: m_spec.attribute("bmp:version", 5); break;
     }
 
+    if (m_dib_header.cpalete && !m_colortable.size()) {
+        errorfmt(
+            "BMP error: bad BPP ({}) for palette image -- presumed corrupt file",
+            m_dib_header.bpp);
+        return false;
+    }
+
     // Default presumption is that a BMP file is meant to look reasonable on a
     // display, so assume it's sRGB. This is not really correct -- see the
     // comments below.
@@ -391,8 +398,9 @@ BmpInput::read_native_scanline(int subimage, int miplevel, int y, int /*z*/,
 
     size_t scanline_bytes = m_spec.scanline_bytes();
     uint8_t* mscanline    = (uint8_t*)data;
-    if (m_dib_header.compression == RLE4_COMPRESSION
-        || m_dib_header.compression == RLE8_COMPRESSION) {
+    if ((m_dib_header.compression == RLE4_COMPRESSION
+         || m_dib_header.compression == RLE8_COMPRESSION)
+        && m_colortable.size()) {
         for (int x = 0; x < m_spec.width; ++x) {
             int p = m_uncompressed[(m_spec.height - 1 - y) * m_spec.width + x];
             auto& c              = colortable(p);
diff --git a/testsuite/bmp/ref/out.txt b/testsuite/bmp/ref/out.txt
@@ -298,3 +298,6 @@ oiiotool ERROR: read : "src/bad-y.bmp": BMP might be corrupted, it is referencin
 BMP error reading rle-compressed image
 Full command line was:
 > oiiotool --info -v -a --hash src/bad-y.bmp
+oiiotool ERROR: read : "src/palette32bit-corrupt.bmp": BMP error: bad BPP (32) for palette image -- presumed corrupt file
+Full command line was:
+> oiiotool --info -v -a --hash src/palette32bit-corrupt.bmp
diff --git a/testsuite/bmp/run.py b/testsuite/bmp/run.py
@@ -33,3 +33,4 @@
 # See if we handle these corrupt files with useful error messages
 command += info_command ("src/decodecolormap-corrupt.bmp")
 command += info_command ("src/bad-y.bmp")
+command += info_command ("src/palette32bit-corrupt.bmp")
diff --git a/testsuite/bmp/src/palette32bit-corrupt.bmp b/testsuite/bmp/src/palette32bit-corrupt.bmp
