From 4b983db6b260f9ff581004c8bbeff9bb760786d6 Mon Sep 17 00:00:00 2001
From: Brian Popow <popow@gmx.de>
Date: Sun, 8 Mar 2026 17:17:49 +0100
Subject: [PATCH 1/2] Add check, if Offset is greater then stream length when
 reading colorMapSize

---
 src/ImageSharp/Formats/Bmp/BmpDecoderCore.cs | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/ImageSharp/Formats/Bmp/BmpDecoderCore.cs b/src/ImageSharp/Formats/Bmp/BmpDecoderCore.cs
index a1de790c3d..230526fd4a 100644
--- a/src/ImageSharp/Formats/Bmp/BmpDecoderCore.cs
+++ b/src/ImageSharp/Formats/Bmp/BmpDecoderCore.cs
@@ -1548,6 +1548,12 @@ internal sealed class BmpDecoderCore : ImageDecoderCore
                     case BmpFileMarkerType.Bitmap:
                         if (this.fileHeader.HasValue)
                         {
+                            if (this.fileHeader.Value.Offset > stream.Length)
+                            {
+                                BmpThrowHelper.ThrowInvalidImageContentException(
+                                    $"Pixel data offset {this.fileHeader.Value.Offset} exceeds file size {stream.Length}.");
+                            }
+
                             colorMapSizeBytes = this.fileHeader.Value.Offset - BmpFileHeader.Size - this.infoHeader.HeaderSize;
                         }
                         else

From 7d608dd08725dc0bd5ebd367cdf69cbd2f9abc34 Mon Sep 17 00:00:00 2001
From: Brian Popow <popow@gmx.de>
Date: Sun, 8 Mar 2026 17:18:22 +0100
Subject: [PATCH 2/2] Add test case for issue #3074

---
 .../Formats/Bmp/BmpDecoderTests.cs            | 29 +++++++++++++++++++
 1 file changed, 29 insertions(+)

diff --git a/tests/ImageSharp.Tests/Formats/Bmp/BmpDecoderTests.cs b/tests/ImageSharp.Tests/Formats/Bmp/BmpDecoderTests.cs
index 6ebe1bf4e0..caa6c507dc 100644
--- a/tests/ImageSharp.Tests/Formats/Bmp/BmpDecoderTests.cs
+++ b/tests/ImageSharp.Tests/Formats/Bmp/BmpDecoderTests.cs
@@ -572,6 +572,7 @@ public class BmpDecoderTests
         Assert.IsType<InvalidMemoryOperationException>(ex.InnerException);
     }
 
+    // https://github.com/SixLabors/ImageSharp/issues/3067
     [Fact]
     public void BmpDecoder_ThrowsException_Issue3067()
     {
@@ -594,4 +595,32 @@ public class BmpDecoderTests
             using Image image = BmpDecoder.Instance.Decode(DecoderOptions.Default, stream);
         });
     }
+
+    // https://github.com/SixLabors/ImageSharp/issues/3074
+    [Fact]
+    public void BmpDecoder_ThrowsException_Issue3074()
+    {
+        // Crafted BMP: pixel data offset = 0x7FFFFFFF, actual file = 35 bytes
+        byte[] data =
+        [
+            0x42, 0x4D,                         // "BM" signature
+            0x3A, 0x00, 0x00, 0x00,             // file size: 58
+            0x00, 0x00, 0x00, 0x00,             // reserved
+            0xFF, 0xFF, 0xFF, 0x7F,             // pixel offset: 0x7FFFFFFF (2,147,483,647)
+            0x28, 0x00, 0x00, 0x00,             // DIB header size: 40
+            0x01, 0x00, 0x00, 0x00,             // width: 1
+            0x01, 0xFF, 0x00, 0x00,             // height: 65281
+            0x01, 0x00,                         // color planes: 1
+            0x08, 0x00,                         // bits per pixel: 8
+            0x00, 0x00, 0x00, 0x00,             // compression: RGB
+            0x00, 0x00, 0x00 // (truncated)
+        ];
+
+        using MemoryStream stream = new(data);
+
+        Assert.Throws<InvalidImageContentException>(() =>
+        {
+            using Image<Rgba32> image = Image.Load<Rgba32>(stream);
+        });
+    }
 }