From 0ef449a5889dbff9ce1ccc8748422f80bab59125 Mon Sep 17 00:00:00 2001 From: Lucas CHOLLET Date: Tue, 9 Jan 2024 17:43:52 -0500 Subject: [PATCH] LibGfx/TIFF: Don't crash on invalid indices inside RGBPalette images We were previously accessing a Vector's element using a user-provided value as index input. --- Userland/Libraries/LibGfx/ImageFormats/TIFFLoader.cpp | 3 +++ 1 file changed, 3 insertions(+) diff --git a/Userland/Libraries/LibGfx/ImageFormats/TIFFLoader.cpp b/Userland/Libraries/LibGfx/ImageFormats/TIFFLoader.cpp index 90b0e3ecf2..2a0eff3a4c 100644 --- a/Userland/Libraries/LibGfx/ImageFormats/TIFFLoader.cpp +++ b/Userland/Libraries/LibGfx/ImageFormats/TIFFLoader.cpp @@ -189,6 +189,9 @@ private: auto const color_map = *m_metadata.color_map(); + if (blue_offset + index >= color_map.size()) + return Error::from_string_literal("TIFFImageDecoderPlugin: Color index is out of range"); + // FIXME: ColorMap's values are always 16-bits, stop truncating them when we support 16 bits bitmaps return Color( color_map[red_offset + index] >> 8,