From ba5d39d442a6cdde8a23ac8fd75429d7cf369e6c Mon Sep 17 00:00:00 2001 From: James Jackson-South Date: Fri, 6 Mar 2026 14:12:28 +1000 Subject: [PATCH 1/4] Fix #3067 --- src/ImageSharp/Formats/Bmp/BmpDecoderCore.cs | 17 ++++++++++---- .../Formats/Bmp/BmpDecoderTests.cs | 23 +++++++++++++++++++ 2 files changed, 35 insertions(+), 5 deletions(-) diff --git a/src/ImageSharp/Formats/Bmp/BmpDecoderCore.cs b/src/ImageSharp/Formats/Bmp/BmpDecoderCore.cs index 5dc30575d5..3ac7e803ea 100644 --- a/src/ImageSharp/Formats/Bmp/BmpDecoderCore.cs +++ b/src/ImageSharp/Formats/Bmp/BmpDecoderCore.cs @@ -126,7 +126,10 @@ protected override Image Decode(BufferedReadStream stream, Cance switch (this.infoHeader.Compression) { case BmpCompression.RGB: - if (this.infoHeader.BitsPerPixel == 32) + + ushort bitsPerPixel = this.infoHeader.BitsPerPixel; + + if (bitsPerPixel == 32) { if (this.bmpMetadata.InfoHeaderType == BmpInfoHeaderType.WinVersion3) { @@ -137,15 +140,15 @@ protected override Image Decode(BufferedReadStream stream, Cance this.ReadRgb32Fast(stream, pixels, this.infoHeader.Width, this.infoHeader.Height, inverted); } } - else if (this.infoHeader.BitsPerPixel == 24) + else if (bitsPerPixel == 24) { this.ReadRgb24(stream, pixels, this.infoHeader.Width, this.infoHeader.Height, inverted); } - else if (this.infoHeader.BitsPerPixel == 16) + else if (bitsPerPixel == 16) { this.ReadRgb16(stream, pixels, this.infoHeader.Width, this.infoHeader.Height, inverted); } - else if (this.infoHeader.BitsPerPixel <= 8) + else if (bitsPerPixel is > 0 and <= 8) { this.ReadRgbPalette( stream, @@ -153,10 +156,14 @@ protected override Image Decode(BufferedReadStream stream, Cance palette, this.infoHeader.Width, this.infoHeader.Height, - this.infoHeader.BitsPerPixel, + bitsPerPixel, bytesPerColorMapEntry, inverted); } + else + { + BmpThrowHelper.ThrowInvalidImageContentException($"Invalid bits per pixel: {bitsPerPixel}"); + } break; diff --git a/tests/ImageSharp.Tests/Formats/Bmp/BmpDecoderTests.cs b/tests/ImageSharp.Tests/Formats/Bmp/BmpDecoderTests.cs index 1ce794e44b..80e3061205 100644 --- a/tests/ImageSharp.Tests/Formats/Bmp/BmpDecoderTests.cs +++ b/tests/ImageSharp.Tests/Formats/Bmp/BmpDecoderTests.cs @@ -570,4 +570,27 @@ public void BmpDecoder_ThrowsException_Issue2696(TestImageProvider(ex.InnerException); } + + [Fact] + public void BmpDecoder_ThrowsException_Issue3067() + { + // Construct minimal BMP with bitsPerPixel = 0 + byte[] bmp = new byte[54]; + bmp[0] = (byte)'B'; + bmp[1] = (byte)'M'; + BitConverter.GetBytes(54).CopyTo(bmp, 2); + BitConverter.GetBytes(54).CopyTo(bmp, 10); + BitConverter.GetBytes(40).CopyTo(bmp, 14); + BitConverter.GetBytes(1).CopyTo(bmp, 18); + BitConverter.GetBytes(1).CopyTo(bmp, 22); + BitConverter.GetBytes((short)1).CopyTo(bmp, 26); + BitConverter.GetBytes((short)0).CopyTo(bmp, 28); // bitsPerPixel = 0 + + using MemoryStream stream = new(bmp); + + InvalidImageContentException ex = Assert.Throws(() => + { + using Image image = BmpDecoder.Instance.Decode(DecoderOptions.Default, stream); + }); + } } From 878309719d21df4a4a59e92eaba9f8eb4ab20740 Mon Sep 17 00:00:00 2001 From: James Jackson-South Date: Fri, 6 Mar 2026 14:22:22 +1000 Subject: [PATCH 2/4] Update build-and-test.yml --- .github/workflows/build-and-test.yml | 121 ++++++++++++++++++++------- 1 file changed, 89 insertions(+), 32 deletions(-) diff --git a/.github/workflows/build-and-test.yml b/.github/workflows/build-and-test.yml index ec3ebfa1dc..5fd7567423 100644 --- a/.github/workflows/build-and-test.yml +++ b/.github/workflows/build-and-test.yml @@ -11,13 +11,57 @@ on: branches: - main - release/* - types: [ labeled, opened, synchronize, reopened ] + types: [ opened, synchronize, reopened ] + jobs: + # Prime a single LFS cache and expose the exact key for the matrix + WarmLFS: + runs-on: ubuntu-latest + outputs: + lfs_key: ${{ steps.expose-key.outputs.lfs_key }} + steps: + - name: Git Config + shell: bash + run: | + git config --global core.autocrlf false + git config --global core.longpaths true + + - name: Git Checkout + uses: actions/checkout@v4 + with: + fetch-depth: 0 + submodules: recursive + + # Deterministic list of LFS object IDs, then compute a portable key: + # - `git lfs ls-files -l` lists all tracked LFS objects with their SHA-256 + # - `awk '{print $1}'` extracts just the SHA field + # - `sort` sorts in byte order (hex hashes sort the same everywhere) + # This ensures the file content is identical regardless of OS or locale + - name: Git Create LFS id list + shell: bash + run: git lfs ls-files -l | awk '{print $1}' | sort > .lfs-assets-id + + - name: Git Expose LFS cache key + id: expose-key + shell: bash + env: + LFS_KEY: lfs-${{ hashFiles('.lfs-assets-id') }}-v1 + run: echo "lfs_key=$LFS_KEY" >> "$GITHUB_OUTPUT" + + - name: Git Setup LFS Cache + uses: actions/cache@v5 + with: + path: .git/lfs + key: ${{ steps.expose-key.outputs.lfs_key }} + + - name: Git Pull LFS + shell: bash + run: git lfs pull + Build: + needs: WarmLFS strategy: matrix: - isARM: - - ${{ contains(github.event.pull_request.labels.*.name, 'arch:arm32') || contains(github.event.pull_request.labels.*.name, 'arch:arm64') }} options: - os: ubuntu-latest framework: net7.0 @@ -25,7 +69,7 @@ jobs: sdk-preview: true runtime: -x64 codecov: false - - os: macos-13 # macos-latest runs on arm64 runners where libgdiplus is unavailable + - os: macos-26 framework: net7.0 sdk: 7.0.x sdk-preview: true @@ -37,18 +81,19 @@ jobs: sdk-preview: true runtime: -x64 codecov: false - - os: buildjet-4vcpu-ubuntu-2204-arm + - os: ubuntu-22.04-arm framework: net7.0 sdk: 7.0.x sdk-preview: true runtime: -x64 codecov: false + - os: ubuntu-latest framework: net6.0 sdk: 6.0.x runtime: -x64 codecov: false - - os: macos-13 # macos-latest runs on arm64 runners where libgdiplus is unavailable + - os: macos-26 framework: net6.0 sdk: 6.0.x runtime: -x64 @@ -58,19 +103,32 @@ jobs: sdk: 6.0.x runtime: -x64 codecov: false - exclude: - - isARM: false - options: - os: buildjet-4vcpu-ubuntu-2204-arm + - os: ubuntu-22.04-arm + framework: net6.0 + sdk: 6.0.x + runtime: -x64 + codecov: false - runs-on: ${{matrix.options.os}} + runs-on: ${{ matrix.options.os }} steps: - name: Install libgdi+, which is required for tests running on ubuntu if: ${{ contains(matrix.options.os, 'ubuntu') }} run: | - sudo apt-get update - sudo apt-get -y install libgdiplus libgif-dev libglib2.0-dev libcairo2-dev libtiff-dev libexif-dev + sudo apt-get update + sudo apt-get -y install libgdiplus libgif-dev libglib2.0-dev libcairo2-dev libtiff-dev libexif-dev + + - name: Install libgdi+, which is required for tests running on macos + if: ${{ contains(matrix.options.os, 'macos-26') }} + run: | + brew update + brew install mono-libgdiplus + # Create symlinks to make libgdiplus discoverable + sudo mkdir -p /usr/local/lib + sudo ln -sf $(brew --prefix)/lib/libgdiplus.dylib /usr/local/lib/libgdiplus.dylib + # Verify installation + ls -la $(brew --prefix)/lib/libgdiplus* || echo "libgdiplus not found in brew prefix" + ls -la /usr/local/lib/libgdiplus* || echo "libgdiplus not found in /usr/local/lib" - name: Git Config shell: bash @@ -84,25 +142,22 @@ jobs: fetch-depth: 0 submodules: recursive - # See https://github.com/actions/checkout/issues/165#issuecomment-657673315 - - name: Git Create LFS FileList - run: git lfs ls-files -l | cut -d' ' -f1 | sort > .lfs-assets-id - + # Use the warmed key from WarmLFS. Do not recompute or recreate .lfs-assets-id here. - name: Git Setup LFS Cache - uses: actions/cache@v3 - id: lfs-cache + uses: actions/cache@v5 with: path: .git/lfs - key: ${{ runner.os }}-lfs-${{ hashFiles('.lfs-assets-id') }}-v1 + key: ${{ needs.WarmLFS.outputs.lfs_key }} - name: Git Pull LFS + shell: bash run: git lfs pull - name: NuGet Install - uses: NuGet/setup-nuget@v1 + uses: NuGet/setup-nuget@v2 - name: NuGet Setup Cache - uses: actions/cache@v3 + uses: actions/cache@v5 id: nuget-cache with: path: ~/.nuget @@ -110,13 +165,19 @@ jobs: restore-keys: ${{ runner.os }}-nuget- - name: DotNet Setup - uses: actions/setup-dotnet@v4 + if: ${{ matrix.options.sdk-preview != true }} + uses: actions/setup-dotnet@v5 with: dotnet-version: | - 8.0.x - 7.0.x 6.0.x + - name: DotNet Setup Preview + if: ${{ matrix.options.sdk-preview == true }} + uses: actions/setup-dotnet@v5 + with: + dotnet-version: | + 7.0.x + - name: DotNet Build if: ${{ matrix.options.sdk-preview != true }} shell: pwsh @@ -148,7 +209,7 @@ jobs: XUNIT_PATH: .\tests\ImageSharp.Tests # Required for xunit - name: Export Failed Output - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@v6 if: failure() with: name: actual_output_${{ runner.os }}_${{ matrix.options.framework }}${{ matrix.options.runtime }}.zip @@ -156,11 +217,8 @@ jobs: Publish: needs: [Build] - runs-on: ubuntu-latest - if: (github.event_name == 'push') - steps: - name: Git Config shell: bash @@ -175,10 +233,10 @@ jobs: submodules: recursive - name: NuGet Install - uses: NuGet/setup-nuget@v1 + uses: NuGet/setup-nuget@v2 - name: NuGet Setup Cache - uses: actions/cache@v3 + uses: actions/cache@v5 id: nuget-cache with: path: ~/.nuget @@ -201,4 +259,3 @@ jobs: run: | dotnet nuget push .\artifacts\*.nupkg -k ${{secrets.NUGET_TOKEN}} -s https://api.nuget.org/v3/index.json --skip-duplicate dotnet nuget push .\artifacts\*.snupkg -k ${{secrets.NUGET_TOKEN}} -s https://api.nuget.org/v3/index.json --skip-duplicate - From 78b5ee89b22e2570f7a7bc7789da0201680b0e00 Mon Sep 17 00:00:00 2001 From: James Jackson-South Date: Fri, 6 Mar 2026 14:31:00 +1000 Subject: [PATCH 3/4] Revert "Update build-and-test.yml" This reverts commit 878309719d21df4a4a59e92eaba9f8eb4ab20740. --- .github/workflows/build-and-test.yml | 121 +++++++-------------------- 1 file changed, 32 insertions(+), 89 deletions(-) diff --git a/.github/workflows/build-and-test.yml b/.github/workflows/build-and-test.yml index 5fd7567423..ec3ebfa1dc 100644 --- a/.github/workflows/build-and-test.yml +++ b/.github/workflows/build-and-test.yml @@ -11,57 +11,13 @@ on: branches: - main - release/* - types: [ opened, synchronize, reopened ] - + types: [ labeled, opened, synchronize, reopened ] jobs: - # Prime a single LFS cache and expose the exact key for the matrix - WarmLFS: - runs-on: ubuntu-latest - outputs: - lfs_key: ${{ steps.expose-key.outputs.lfs_key }} - steps: - - name: Git Config - shell: bash - run: | - git config --global core.autocrlf false - git config --global core.longpaths true - - - name: Git Checkout - uses: actions/checkout@v4 - with: - fetch-depth: 0 - submodules: recursive - - # Deterministic list of LFS object IDs, then compute a portable key: - # - `git lfs ls-files -l` lists all tracked LFS objects with their SHA-256 - # - `awk '{print $1}'` extracts just the SHA field - # - `sort` sorts in byte order (hex hashes sort the same everywhere) - # This ensures the file content is identical regardless of OS or locale - - name: Git Create LFS id list - shell: bash - run: git lfs ls-files -l | awk '{print $1}' | sort > .lfs-assets-id - - - name: Git Expose LFS cache key - id: expose-key - shell: bash - env: - LFS_KEY: lfs-${{ hashFiles('.lfs-assets-id') }}-v1 - run: echo "lfs_key=$LFS_KEY" >> "$GITHUB_OUTPUT" - - - name: Git Setup LFS Cache - uses: actions/cache@v5 - with: - path: .git/lfs - key: ${{ steps.expose-key.outputs.lfs_key }} - - - name: Git Pull LFS - shell: bash - run: git lfs pull - Build: - needs: WarmLFS strategy: matrix: + isARM: + - ${{ contains(github.event.pull_request.labels.*.name, 'arch:arm32') || contains(github.event.pull_request.labels.*.name, 'arch:arm64') }} options: - os: ubuntu-latest framework: net7.0 @@ -69,7 +25,7 @@ jobs: sdk-preview: true runtime: -x64 codecov: false - - os: macos-26 + - os: macos-13 # macos-latest runs on arm64 runners where libgdiplus is unavailable framework: net7.0 sdk: 7.0.x sdk-preview: true @@ -81,19 +37,18 @@ jobs: sdk-preview: true runtime: -x64 codecov: false - - os: ubuntu-22.04-arm + - os: buildjet-4vcpu-ubuntu-2204-arm framework: net7.0 sdk: 7.0.x sdk-preview: true runtime: -x64 codecov: false - - os: ubuntu-latest framework: net6.0 sdk: 6.0.x runtime: -x64 codecov: false - - os: macos-26 + - os: macos-13 # macos-latest runs on arm64 runners where libgdiplus is unavailable framework: net6.0 sdk: 6.0.x runtime: -x64 @@ -103,32 +58,19 @@ jobs: sdk: 6.0.x runtime: -x64 codecov: false - - os: ubuntu-22.04-arm - framework: net6.0 - sdk: 6.0.x - runtime: -x64 - codecov: false + exclude: + - isARM: false + options: + os: buildjet-4vcpu-ubuntu-2204-arm - runs-on: ${{ matrix.options.os }} + runs-on: ${{matrix.options.os}} steps: - name: Install libgdi+, which is required for tests running on ubuntu if: ${{ contains(matrix.options.os, 'ubuntu') }} run: | - sudo apt-get update - sudo apt-get -y install libgdiplus libgif-dev libglib2.0-dev libcairo2-dev libtiff-dev libexif-dev - - - name: Install libgdi+, which is required for tests running on macos - if: ${{ contains(matrix.options.os, 'macos-26') }} - run: | - brew update - brew install mono-libgdiplus - # Create symlinks to make libgdiplus discoverable - sudo mkdir -p /usr/local/lib - sudo ln -sf $(brew --prefix)/lib/libgdiplus.dylib /usr/local/lib/libgdiplus.dylib - # Verify installation - ls -la $(brew --prefix)/lib/libgdiplus* || echo "libgdiplus not found in brew prefix" - ls -la /usr/local/lib/libgdiplus* || echo "libgdiplus not found in /usr/local/lib" + sudo apt-get update + sudo apt-get -y install libgdiplus libgif-dev libglib2.0-dev libcairo2-dev libtiff-dev libexif-dev - name: Git Config shell: bash @@ -142,22 +84,25 @@ jobs: fetch-depth: 0 submodules: recursive - # Use the warmed key from WarmLFS. Do not recompute or recreate .lfs-assets-id here. + # See https://github.com/actions/checkout/issues/165#issuecomment-657673315 + - name: Git Create LFS FileList + run: git lfs ls-files -l | cut -d' ' -f1 | sort > .lfs-assets-id + - name: Git Setup LFS Cache - uses: actions/cache@v5 + uses: actions/cache@v3 + id: lfs-cache with: path: .git/lfs - key: ${{ needs.WarmLFS.outputs.lfs_key }} + key: ${{ runner.os }}-lfs-${{ hashFiles('.lfs-assets-id') }}-v1 - name: Git Pull LFS - shell: bash run: git lfs pull - name: NuGet Install - uses: NuGet/setup-nuget@v2 + uses: NuGet/setup-nuget@v1 - name: NuGet Setup Cache - uses: actions/cache@v5 + uses: actions/cache@v3 id: nuget-cache with: path: ~/.nuget @@ -165,18 +110,12 @@ jobs: restore-keys: ${{ runner.os }}-nuget- - name: DotNet Setup - if: ${{ matrix.options.sdk-preview != true }} - uses: actions/setup-dotnet@v5 - with: - dotnet-version: | - 6.0.x - - - name: DotNet Setup Preview - if: ${{ matrix.options.sdk-preview == true }} - uses: actions/setup-dotnet@v5 + uses: actions/setup-dotnet@v4 with: dotnet-version: | + 8.0.x 7.0.x + 6.0.x - name: DotNet Build if: ${{ matrix.options.sdk-preview != true }} @@ -209,7 +148,7 @@ jobs: XUNIT_PATH: .\tests\ImageSharp.Tests # Required for xunit - name: Export Failed Output - uses: actions/upload-artifact@v6 + uses: actions/upload-artifact@v4 if: failure() with: name: actual_output_${{ runner.os }}_${{ matrix.options.framework }}${{ matrix.options.runtime }}.zip @@ -217,8 +156,11 @@ jobs: Publish: needs: [Build] + runs-on: ubuntu-latest + if: (github.event_name == 'push') + steps: - name: Git Config shell: bash @@ -233,10 +175,10 @@ jobs: submodules: recursive - name: NuGet Install - uses: NuGet/setup-nuget@v2 + uses: NuGet/setup-nuget@v1 - name: NuGet Setup Cache - uses: actions/cache@v5 + uses: actions/cache@v3 id: nuget-cache with: path: ~/.nuget @@ -259,3 +201,4 @@ jobs: run: | dotnet nuget push .\artifacts\*.nupkg -k ${{secrets.NUGET_TOKEN}} -s https://api.nuget.org/v3/index.json --skip-duplicate dotnet nuget push .\artifacts\*.snupkg -k ${{secrets.NUGET_TOKEN}} -s https://api.nuget.org/v3/index.json --skip-duplicate + From b7eeef0f1b5401020168aaac5957da48e98454ec Mon Sep 17 00:00:00 2001 From: James Jackson-South Date: Fri, 6 Mar 2026 14:32:11 +1000 Subject: [PATCH 4/4] Update build-and-test.yml --- .github/workflows/build-and-test.yml | 20 ++++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) diff --git a/.github/workflows/build-and-test.yml b/.github/workflows/build-and-test.yml index ec3ebfa1dc..ddd43f7966 100644 --- a/.github/workflows/build-and-test.yml +++ b/.github/workflows/build-and-test.yml @@ -25,7 +25,7 @@ jobs: sdk-preview: true runtime: -x64 codecov: false - - os: macos-13 # macos-latest runs on arm64 runners where libgdiplus is unavailable + - os: macos-26 framework: net7.0 sdk: 7.0.x sdk-preview: true @@ -48,7 +48,7 @@ jobs: sdk: 6.0.x runtime: -x64 codecov: false - - os: macos-13 # macos-latest runs on arm64 runners where libgdiplus is unavailable + - os: macos-26 framework: net6.0 sdk: 6.0.x runtime: -x64 @@ -69,8 +69,20 @@ jobs: - name: Install libgdi+, which is required for tests running on ubuntu if: ${{ contains(matrix.options.os, 'ubuntu') }} run: | - sudo apt-get update - sudo apt-get -y install libgdiplus libgif-dev libglib2.0-dev libcairo2-dev libtiff-dev libexif-dev + sudo apt-get update + sudo apt-get -y install libgdiplus libgif-dev libglib2.0-dev libcairo2-dev libtiff-dev libexif-dev + + - name: Install libgdi+, which is required for tests running on macos + if: ${{ contains(matrix.options.os, 'macos-26') }} + run: | + brew update + brew install mono-libgdiplus + # Create symlinks to make libgdiplus discoverable + sudo mkdir -p /usr/local/lib + sudo ln -sf $(brew --prefix)/lib/libgdiplus.dylib /usr/local/lib/libgdiplus.dylib + # Verify installation + ls -la $(brew --prefix)/lib/libgdiplus* || echo "libgdiplus not found in brew prefix" + ls -la /usr/local/lib/libgdiplus* || echo "libgdiplus not found in /usr/local/lib" - name: Git Config shell: bash