From ce26f04f2d478bbf71bb72032dd0f07d75e629bf Mon Sep 17 00:00:00 2001
From: Albrecht Schlosser <albrechts.fltk@online.de>
Date: Sat, 3 Jul 2021 18:59:19 +0200
Subject: Check for valid length and simplify BOM check (#247)

---
 src/fl_images_core.cxx | 19 +++++++++++++++++--
 1 file changed, 17 insertions(+), 2 deletions(-)

(limited to 'src')

diff --git a/src/fl_images_core.cxx b/src/fl_images_core.cxx
index 260e9281c..1392652a3 100644
--- a/src/fl_images_core.cxx
+++ b/src/fl_images_core.cxx
@@ -145,8 +145,23 @@ fl_check_images(const char *name,               // I - Filename
     buf += lutf8; count -= lutf8;
   }
 
-  if ((count >= 5 && memcmp(buf, "<?xml", 5) == 0) ||
-      (count >= 4 && memcmp(buf, "<svg", 4) == 0))
+  // Check if we have a UTF-8 BOM in the first three bytes (issue #247).
+  // If yes we need at least 5 more bytes to recognize the signature.
+  // Note: BOM (Byte Order Marker) in UTF-8 is not recommended but allowed.
+
+  if (count >= 8) {
+    const uchar bom[3] = { 0xef, 0xbb, 0xbf };
+    if (memcmp(buf, bom, 3) == 0) {
+      buf += 3;
+      count -= 3;
+    }
+  }
+
+  // Check svg or xml signature
+
+  if ((count >= 5 &&
+       (memcmp(buf, "<?xml", 5) == 0 ||
+        memcmp(buf, "<svg ", 5) == 0)))
     return new Fl_SVG_Image(name);
 #endif // FLTK_USE_SVG
 
-- 
cgit v1.2.3