diff --git a/Userland/Libraries/LibGfx/ImageFormats/BMPLoader.cpp b/Userland/Libraries/LibGfx/ImageFormats/BMPLoader.cpp
index fee77bcdb9f..2388cbcfb6f 100644
--- a/Userland/Libraries/LibGfx/ImageFormats/BMPLoader.cpp
+++ b/Userland/Libraries/LibGfx/ImageFormats/BMPLoader.cpp
@@ -518,6 +518,11 @@ static ErrorOr<void> decode_bmp_header(BMPLoadingContext& context)
     // Ignore reserved bytes
     streamer.drop_bytes(4);
     context.data_offset = streamer.read_u32();
+    if (context.data_offset >= context.file_size) {
+        dbgln_if(BMP_DEBUG, "BMP has invalid data offset: {}", context.data_offset);
+        context.state = BMPLoadingContext::State::Error;
+        return Error::from_string_literal("BMP has invalid data offset");
+    }
 
     if constexpr (BMP_DEBUG) {
         dbgln("BMP file size: {}", context.file_size);
@@ -923,6 +928,12 @@ static ErrorOr<void> decode_bmp_dib(BMPLoadingContext& context)
         }
     }
 
+    if (context.data_offset >= context.file_size) {
+        dbgln_if(BMP_DEBUG, "BMP has invalid data offset: {}", context.data_offset);
+        context.state = BMPLoadingContext::State::Error;
+        return Error::from_string_literal("BMP has invalid data offset");
+    }
+
     context.state = BMPLoadingContext::State::DIBDecoded;
 
     return {};