From c8e8f107bf82fb56f49101e1098f4c697b16cfeb Mon Sep 17 00:00:00 2001
From: Campbell Barton <campbell@blender.org>
Date: Fri, 15 Jul 2022 14:47:18 +1000
Subject: [PATCH] Fix T99711: Eternal loop reading blend file thumbnail

Account for negative BHead length (already handled by blend file loading).
---
 source/blender/blendthumb/src/blendthumb_extract.cc | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/source/blender/blendthumb/src/blendthumb_extract.cc b/source/blender/blendthumb/src/blendthumb_extract.cc
index 369da559fc8..163197c8b67 100644
--- a/source/blender/blendthumb/src/blendthumb_extract.cc
+++ b/source/blender/blendthumb/src/blendthumb_extract.cc
@@ -121,6 +121,9 @@ static eThumbStatus blendthumb_extract_from_file_impl(FileReader *file,
   while (file_read(file, bhead_data, bhead_size)) {
     /* Parse type and size from `BHead`. */
     const int32_t block_size = bytes_to_native_i32(&bhead_data[4], endian_switch);
+    if (UNLIKELY(block_size < 0)) {
+      return BT_INVALID_THUMB;
+    }
 
     /* We're looking for the thumbnail, so skip any other block. */
     switch (*((int32_t *)bhead_data)) {