RGBCube/serenity
1
Fork 0
mirror of https://github.com/RGBCube/serenity synced 2025-07-27 12:17:44 +00:00
Code Issues Activity Actions

LibGfx/ICC: Avoid overflow when creating MultiLocalizedUnicodeTagData

Browse source 
Previously, it was possible for a `MultiLocalizedUnicodeTagData` object
with a incorrect length  or offset fields to cause a buffer overflow.
This commit is contained in:
Tim Ledbetter 2023-11-11 11:10:08 +00:00 committed by Andreas Kling
parent f9068c7f2e
commit 10624a2beb
1 changed files with 6 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

8
Userland/Libraries/LibGfx/ICC/TagTypes.cpp
View file

@ -694,7 +694,11 @@ ErrorOr<NonnullRefPtr<MultiLocalizedUnicodeTagData>> MultiLocalizedUnicodeTagDat
// encoding, should the need arise, without having to define a new tag type." // encoding, should the need arise, without having to define a new tag type."
if (record_size < sizeof(MultiLocalizedUnicodeRawRecord)) if (record_size < sizeof(MultiLocalizedUnicodeRawRecord))
return Error::from_string_literal("ICC::Profile: multiLocalizedUnicodeType record size too small"); return Error::from_string_literal("ICC::Profile: multiLocalizedUnicodeType record size too small");
if (bytes.size() < 16 + number_of_records * record_size)
Checked<size_t> records_size_in_bytes = number_of_records;
records_size_in_bytes *= record_size;
records_size_in_bytes += 16;
if (records_size_in_bytes.has_overflow() || bytes.size() < records_size_in_bytes.value())
return Error::from_string_literal("ICC::Profile: multiLocalizedUnicodeType not enough data for records"); return Error::from_string_literal("ICC::Profile: multiLocalizedUnicodeType not enough data for records");
Vector<Record> records; Vector<Record> records;
@ -715,7 +719,7 @@ ErrorOr<NonnullRefPtr<MultiLocalizedUnicodeTagData>> MultiLocalizedUnicodeTagDat
if (record.string_length_in_bytes % 2 != 0) if (record.string_length_in_bytes % 2 != 0)
return Error::from_string_literal("ICC::Profile: multiLocalizedUnicodeType odd UTF-16 byte length"); return Error::from_string_literal("ICC::Profile: multiLocalizedUnicodeType odd UTF-16 byte length");
if (record.string_offset_in_bytes + record.string_length_in_bytes > bytes.size()) if (static_cast<u64>(record.string_offset_in_bytes) + record.string_length_in_bytes > bytes.size())
return Error::from_string_literal("ICC::Profile: multiLocalizedUnicodeType string offset out of bounds"); return Error::from_string_literal("ICC::Profile: multiLocalizedUnicodeType string offset out of bounds");
StringView utf_16be_data { bytes.data() + record.string_offset_in_bytes, record.string_length_in_bytes }; StringView utf_16be_data { bytes.data() + record.string_offset_in_bytes, record.string_length_in_bytes };