RGBCube/serenity
1
Fork 0
mirror of https://github.com/RGBCube/serenity synced 2025-05-31 13:38:11 +00:00
Code Issues Activity Actions

LibGfx/ICC: Avoid overflow when constructing NamedColor2TagData

Browse source
This commit is contained in:
Tim Ledbetter 2023-10-14 21:38:01 +01:00 committed by Andreas Kling
parent a65d8ff2ea
commit 1a4df4ffe7
3 changed files with 11 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

1
Tests/LibGfx/TestICCProfile.cpp
View file

@ -262,6 +262,7 @@ TEST_CASE(to_lab)
TEST_CASE(malformed_profile)
{
Array test_inputs = {
TEST_INPUT("icc/oss-fuzz-testcase-59551.icc"sv),
TEST_INPUT("icc/oss-fuzz-testcase-60281.icc"sv)
};

BIN
Tests/LibGfx/test-inputs/icc/oss-fuzz-testcase-59551.icc Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 512 B

13
Userland/Libraries/LibGfx/ICC/TagTypes.cpp
View file

@ -760,8 +760,15 @@ ErrorOr<NonnullRefPtr<NamedColor2TagData>> NamedColor2TagData::from_bytes(Readon
auto& header = *bit_cast<NamedColorHeader const*>(bytes.data() + 8);
unsigned const record_byte_size = 32 + sizeof(u16) * (3 + header.number_of_device_coordinates_of_each_named_color);
if (bytes.size() < 2 * sizeof(u32) + sizeof(NamedColorHeader) + header.count_of_named_colors * record_byte_size)
Checked<u32> record_byte_size = 3;
record_byte_size += header.number_of_device_coordinates_of_each_named_color;
record_byte_size *= sizeof(u16);
record_byte_size += 32;
Checked<u32> end_of_record = record_byte_size;
end_of_record *= header.count_of_named_colors;
end_of_record += 2 * sizeof(u32) + sizeof(NamedColorHeader);
if (end_of_record.has_overflow() || bytes.size() < end_of_record.value())
return Error::from_string_literal("ICC::Profile: namedColor2Type has not enough color data");
auto buffer_to_string = [](u8 const* buffer) -> ErrorOr<String> {
@ -786,7 +793,7 @@ ErrorOr<NonnullRefPtr<NamedColor2TagData>> NamedColor2TagData::from_bytes(Readon
TRY(device_coordinates.try_resize(header.count_of_named_colors * header.number_of_device_coordinates_of_each_named_color));
for (size_t i = 0; i < header.count_of_named_colors; ++i) {
u8 const* root_name = bytes.data() + 8 + sizeof(NamedColorHeader) + i * record_byte_size;
u8 const* root_name = bytes.data() + 8 + sizeof(NamedColorHeader) + i * record_byte_size.value();
auto* components = bit_cast<BigEndian<u16> const*>(root_name + 32);
root_names[i] = TRY(buffer_to_string(root_name));