...but what if the "must be a specific sized BMP file" rule is because if you were to flash the eprom with, say, a PNG file it meant you suddenly got root over Intel's Management Engine in your CPU?

Parent is suggesting logic which refuses to parse png standard, not extension/mime-type validation.

Presumably a precision formatted png uploaded as a bmp will just render as a starry mess of color, assuming format confusion is possible within the bmp standard.

BMP isn't encoded at all. Effectively width + height followed by row ordered pixels.

Hard code file length and fail if the width or height are different. Copying pixels to the screen is hard to mess up.

BMP supports run length encoding.

Oh yeah it supports the most useless of compression algorithms (outside of MSPaint pictures I guess)

Pick your favorite simplistic tool and give people a conversion program

20 years ago that was, in fact, the solution.

(I wrote some tools back then to convert between 256-colour TIFF and the "AWBM" format needed by the BIOS on VIA's EPIA motherboards.)

I dunno, I think "solution" implies thought was put into this risk factor.

Assuming a security risk in writing to data read by the BIOS would be crazy 20 years ago. If you could update the image you already were inside the airlock.