[Gankro]

Yes, let us never forget how many exploits there are in trivial codecs like ICO and BMP, because they're written in C(++): https://bugzilla.mozilla.org/show_bug.cgi?id=775794#c0

[nnethercote]

BMP isn't so trivial, largely because it's been extended multiple times while never having a proper spec.

http://searchfox.org/mozilla-central/rev/bbc1c59e460a27b2092... has some of the gory details.

[tinus_hn]

And .ico is just .bmp with some extras.